Quickly Add Group Admin Rights on Selected Folders

[Jon]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have the following environment at the parochial school I administer:
Windows 2003 Server
Windows XP Professional Workstations - 35 Users

I installed Accelerated Reader on our computer lab consisting of 20
computers. All of the lab users are very resitricted using GPO. My problem is
that Accelerated Reader runs off the server but requires users to have admin
rights on the WINNT folder. I was hoping to find a quick way to give the lab
users admin rights only to the WINNT folder and not add them to the local
admin group. Not sure if this can be done with scripting or GPO. Thanks for
the help.

Jon

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Use GPO to manage access rights of the WINNT folder.

1. Open GPMC.msc
2. Edit the policy for your workstations
3. Computer Configuration\Windows Settings\Security Settings\File System
4. Right-click the File System folder and select Add
5. Specify access rights to WINNT


)

TimH

"Jon" wrote:

> I have the following environment at the parochial school I administer:
> Windows 2003 Server
> Windows XP Professional Workstations - 35 Users
>
> I installed Accelerated Reader on our computer lab consisting of 20
> computers. All of the lab users are very resitricted using GPO. My problem is
> that Accelerated Reader runs off the server but requires users to have admin
> rights on the WINNT folder. I was hoping to find a quick way to give the lab
> users admin rights only to the WINNT folder and not add them to the local
> admin group. Not sure if this can be done with scripting or GPO. Thanks for
> the help.
>
> Jon

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news4251020-29E6-4AD0-9684-6A21BE74939F@microsoft.com,
Jon <Jon@discussions.microsoft.com> typed:
> I have the following environment at the parochial school I administer:
> Windows 2003 Server
> Windows XP Professional Workstations - 35 Users
>
> I installed Accelerated Reader on our computer lab consisting of 20
> computers. All of the lab users are very resitricted using GPO. My
> problem is that Accelerated Reader runs off the server but requires
> users to have admin rights on the WINNT folder. I was hoping to find
> a quick way to give the lab users admin rights only to the WINNT
> folder and not add them to the local admin group. Not sure if this
> can be done with scripting or GPO. Thanks for the help.
>
> Jon

In addition to the other reply - it can't really be possible that the app
requires full control over %systemroot% and all its subfolders in order to
run. If it does (and, frankly, even if it's just subfolders users don't
normally have access to), I would be calling up the app mfr and screaming my
fool head off.

Users shouldn't need local admin rights to run anything. And any
folder/subfolder/regkey created by an application's installation routine
should set its own permissions.

This is merely sloppy programming, and if people don't complain, the
developers will never fix their ___.

www.sysinternals.com has two freebies you may find useful - filemon and
sysmon. I suggest you check them out to see what *exactly* this app is
expecting the user to be able to read from/write to, and grant *only* that.