Sign in with
Sign up | Sign in
Your question

Windows 2003 - User Logins vs Software

Last response: in Windows XP
Share
Anonymous
February 25, 2005 12:21:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

We have recently installed a Windows 2003 domain server. Our workstations
are running Windows XP Professional. The individual users do not have rights
to install programs but have access to common areas on the server. All
documents are saved to the server; however, because we are running various
software the workstations may have various software packages installed.

Some of the software will not work unless the user has administrative rights
to the server. I have tried several ways to install in the software. Most
recently, I resorted to the following steps. Sometimes it works but not
always:

1. Set the user to Administrator privileges
2. Install software under his/her username with the Administrator permissions
3. I test the software and is working properly at this phase. I cannot
install the software using their username unless they have administrative
access to the machine. I've this test was after I realized when I install
the software as an administrator, the software will not work for them with
their user rights.
4. After all is checked and running properly, I reset their user rights to
the company user profile.

The result is the software will not work. I have two software packages that
will not work and one Vinyl cutter (printer) that will not work unless the
workstation is logged on with administrative access. We have 14 workstations
and three laptops running off this server. We cannot keep giving the users
administrative access because the software doesn't work. Can you please
advise what I can do to fix the problem and still maintain network security.

Thankyou,
--
Marilyne
February 25, 2005 8:44:37 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Marilyne wrote:

> We have recently installed a Windows 2003 domain server. Our
> workstations
> are running Windows XP Professional. The individual users do not have
> rights
> to install programs but have access to common areas on the server.
> All documents are saved to the server; however, because we are running
> various software the workstations may have various software packages
> installed.
>
> Some of the software will not work unless the user has administrative
> rights
> to the server. I have tried several ways to install in the software.
> Most
> recently, I resorted to the following steps. Sometimes it works but
> not always:
>
> 1. Set the user to Administrator privileges
> 2. Install software under his/her username with the Administrator
> permissions
> 3. I test the software and is working properly at this phase. I
> cannot install the software using their username unless they have
> administrative
> access to the machine. I've this test was after I realized when I
> install the software as an administrator, the software will not work
> for them with their user rights.
> 4. After all is checked and running properly, I reset their user
> rights to the company user profile.
>
> The result is the software will not work. I have two software
> packages that will not work and one Vinyl cutter (printer) that will
> not work unless the
> workstation is logged on with administrative access. We have 14
> workstations
> and three laptops running off this server. We cannot keep giving the
> users
> administrative access because the software doesn't work. Can you
> please advise what I can do to fix the problem and still maintain
> network security.
>
> Thankyou,

There very first thing you need to do is complain long and loud to the
software mftr. If there are any competitive products and one program
understands security and the other doesn't, consider changing.
Unfortunately, this isn't really practical in most cases since the
niche software usually fills such a narrow need. Your situation is
extremely common with this sort of niche industry-specific software. I
have several clients in the same boat - different industries, but same
concept. If runas won't even work for you, then you really don't have a
choice; if you have to run this software then you have to make the
users admins. Maybe someone else has a better idea - although it
certainly sounds like you've tried everything.

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
Anonymous
February 25, 2005 8:37:48 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

Marilyne wrote:
> We have recently installed a Windows 2003 domain server. Our
> workstations are running Windows XP Professional. [...] Some of the
> software will not work unless the user has administrative
> rights to the server.

The mention of the server leads me to suspect you might not realize that you
can also grant a specific user local admin rights, on their particular
workstation only. To do it remotely (from the server): log on as a domain
admin, open "Active Directory Users and Computers", locate the workstation
computer object, right click and choose "Manage". Computer Management
snap-in will open for the workstation. Add the user's domain account to the
"Administrators" group under "Local users and Groups".

This only grants the user administrator priviles to that specific
workstation, which is something you should try to avoid if you can -- but it
is much less of a security compromise than handing out domain admin
privileges.

> I have two software packages that will not work and one Vinyl
> cutter (printer) that will not work unless the workstation is logged
> on with administrative access.

Sadly, this is not uncommon -- especially with limited market,
industry-specific applications (which tend to be poorly designed to begin
with and even more poorly maintained after).

Your options include:

1) Get better software. This could mean a different product, or perhaps a
newer version (if there is one and if it addresses the privilege issues).

2) Live with giving users local admin. Before you concede to that, try the
local "Power User" group -- it's a step between ordinary user and admin, and
it may suffice.

3) Tweak it. In most cases, the culprit software is only trying to write to
files and registry locations that have inherited prohibitive default
permissions. This could be data files under the installation directory,
..ini files under Windows directory, registry keys in the HKLM hive, and so
forth.

You can change the permissions on these items to allow ordinary users to
modify them and your software will be happy. With some effort and an
understanding of NTFS security and auditing, it is usually possible to get
it to work.

Unfortunately, you will have to work out what permissions are needed and
where, individually for each program. Sometimes the vendor will have
documented it in response to complaints from other users before you (it's
worth your time to call and ask), but more often than not they will just say
"use an admin account" and you will have to solve it on your own.

--
Chris Priede (priede@panix.com)
!