A desktop is the arrangement of windows, icons, and menus in a computer's graphical user interface (GUI) that allows the user to control the computer and that reflects the state of that use. A virtual desktop is a desktop that exists beyond a computer's current display. A virtual desktop may, for example, stretch the boundaries of a standard desktop to extend beyond the visible display. A virtual desktop may also exist undisplayed, stored in memory but not visible to the user unless he asks to see it.
A single computer may support multiple virtual desktops. A user on the computer can create multiple virtual desktops and then switch among them when desired. Each virtual desktop maintains an independent state of user interaction, showing actions taken within that desktop: applications started, windows opened, results of actions, icons arranged, and so on.
Because each virtual desktop maintains a separate state of user interaction, virtual desktops are a useful tool for creating separate work environments for a user, much like creating separate rooms in a house for different activities such as a workshop, a laundry room, an office, and so on. Each virtual desktop is set up with running applications, window placement, desktop tools, and other user interface elements to support a specific set of activities. A user may, for example, create one desktop for checking personal email and browsing the web, another desktop for a complex task such as editing video, and another desktop for high-privilege management such as network administration work.
As a user works in different virtual desktops within a single user session (that is, all activity that happens after the user logs on), the user's permissions to use computer resources (his authorization) are the same in each desktop. Those permissions apply to each application and other processes that the user launches in that desktop. When the user logs onto the computer and is authenticated, the computer determines the user's authentication for that session. That authorization persists for the duration of the user's session across all virtual desktops.
If, for example, a user logs onto a computer with a user account that has authorization to run simple programs like a web browser or a word processor, but does not have authorization to connect to other computers in the network and work on those computers, that authorization is the same in all of the user's virtual desktops regardless of the intent of each desktop.
A user can, if desired, launch programs in a desktop that execute using a different authorization than the desktop has. In a Windows environment, a user can execute the “runas.exe” command, which accepts a new user name, password, and name of a program to execute. If the new user account is valid, Windows executes the program using the privileges of that new user. A user in a low-privilege desktop can, for example, use runas.exe to execute a program under the “admin” account to gain high-level authorization for the program. The command “sudo” does much the same in UNIX and UNIX-like environments.