Windows 2003 - User Logins vs Software

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

We have recently installed a Windows 2003 domain server. Our workstations
are running Windows XP Professional. The individual users do not have rights
to install programs but have access to common areas on the server. All
documents are saved to the server; however, because we are running various
software the workstations may have various software packages installed.

Some of the software will not work unless the user has administrative rights
to the server. I have tried several ways to install in the software. Most
recently, I resorted to the following steps. Sometimes it works but not
always:

1. Set the user to Administrator privileges
2. Install software under his/her username with the Administrator permissions
3. I test the software and is working properly at this phase. I cannot
install the software using their username unless they have administrative
access to the machine. I've this test was after I realized when I install
the software as an administrator, the software will not work for them with
their user rights.
4. After all is checked and running properly, I reset their user rights to
the company user profile.

The result is the software will not work. I have two software packages that
will not work and one Vinyl cutter (printer) that will not work unless the
workstation is logged on with administrative access. We have 14 workstations
and three laptops running off this server. We cannot keep giving the users
administrative access because the software doesn't work. Can you please
advise what I can do to fix the problem and still maintain network security.

Thankyou,
--
Marilyne
2 answers Last reply
More about windows 2003 user logins software
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Marilyne wrote:

    > We have recently installed a Windows 2003 domain server. Our
    > workstations
    > are running Windows XP Professional. The individual users do not have
    > rights
    > to install programs but have access to common areas on the server.
    > All documents are saved to the server; however, because we are running
    > various software the workstations may have various software packages
    > installed.
    >
    > Some of the software will not work unless the user has administrative
    > rights
    > to the server. I have tried several ways to install in the software.
    > Most
    > recently, I resorted to the following steps. Sometimes it works but
    > not always:
    >
    > 1. Set the user to Administrator privileges
    > 2. Install software under his/her username with the Administrator
    > permissions
    > 3. I test the software and is working properly at this phase. I
    > cannot install the software using their username unless they have
    > administrative
    > access to the machine. I've this test was after I realized when I
    > install the software as an administrator, the software will not work
    > for them with their user rights.
    > 4. After all is checked and running properly, I reset their user
    > rights to the company user profile.
    >
    > The result is the software will not work. I have two software
    > packages that will not work and one Vinyl cutter (printer) that will
    > not work unless the
    > workstation is logged on with administrative access. We have 14
    > workstations
    > and three laptops running off this server. We cannot keep giving the
    > users
    > administrative access because the software doesn't work. Can you
    > please advise what I can do to fix the problem and still maintain
    > network security.
    >
    > Thankyou,

    There very first thing you need to do is complain long and loud to the
    software mftr. If there are any competitive products and one program
    understands security and the other doesn't, consider changing.
    Unfortunately, this isn't really practical in most cases since the
    niche software usually fills such a narrow need. Your situation is
    extremely common with this sort of niche industry-specific software. I
    have several clients in the same boat - different industries, but same
    concept. If runas won't even work for you, then you really don't have a
    choice; if you have to run this software then you have to make the
    users admins. Maybe someone else has a better idea - although it
    certainly sounds like you've tried everything.

    Malke
    --
    MS MVP - Windows Shell/User
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi,

    Marilyne wrote:
    > We have recently installed a Windows 2003 domain server. Our
    > workstations are running Windows XP Professional. [...] Some of the
    > software will not work unless the user has administrative
    > rights to the server.

    The mention of the server leads me to suspect you might not realize that you
    can also grant a specific user local admin rights, on their particular
    workstation only. To do it remotely (from the server): log on as a domain
    admin, open "Active Directory Users and Computers", locate the workstation
    computer object, right click and choose "Manage". Computer Management
    snap-in will open for the workstation. Add the user's domain account to the
    "Administrators" group under "Local users and Groups".

    This only grants the user administrator priviles to that specific
    workstation, which is something you should try to avoid if you can -- but it
    is much less of a security compromise than handing out domain admin
    privileges.

    > I have two software packages that will not work and one Vinyl
    > cutter (printer) that will not work unless the workstation is logged
    > on with administrative access.

    Sadly, this is not uncommon -- especially with limited market,
    industry-specific applications (which tend to be poorly designed to begin
    with and even more poorly maintained after).

    Your options include:

    1) Get better software. This could mean a different product, or perhaps a
    newer version (if there is one and if it addresses the privilege issues).

    2) Live with giving users local admin. Before you concede to that, try the
    local "Power User" group -- it's a step between ordinary user and admin, and
    it may suffice.

    3) Tweak it. In most cases, the culprit software is only trying to write to
    files and registry locations that have inherited prohibitive default
    permissions. This could be data files under the installation directory,
    ..ini files under Windows directory, registry keys in the HKLM hive, and so
    forth.

    You can change the permissions on these items to allow ordinary users to
    modify them and your software will be happy. With some effort and an
    understanding of NTFS security and auditing, it is usually possible to get
    it to work.

    Unfortunately, you will have to work out what permissions are needed and
    where, individually for each program. Sometimes the vendor will have
    documented it in response to complaints from other users before you (it's
    worth your time to call and ask), but more often than not they will just say
    "use an admin account" and you will have to solve it on your own.

    --
    Chris Priede (priede@panix.com)
Ask a new question

Read More

Windows Server 2003 Software Servers Windows XP