Sign in with
Sign up | Sign in
Your question

Group Policy to allow user to run program without bring lo..

Last response: in Windows 2000/NT
Share
Anonymous
December 6, 2004 10:19:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I looked but didn't see this elsewhere so hopefully I'm not making a repeat
request.

I've got a 2K enviroment w/SP4 and XP clients most w/SP2.

Is there anyway, using group policy, that I can allow a user to run a
program that normally would require them to be set up as a local
administrator? We have some software, ie Payroll, bank software, that require
the user to have local adminstrator rights...not to just install but actually
run. A few will let me take them down to Power User but there are still a few
that will not run unless they are a local admin. I want to be able to take
away the admin and power user rights and let them return to being a
restricted user.

Thanks in advance.
Anonymous
December 6, 2004 12:50:13 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Damone" <Damone@discussions.microsoft.com> wrote in message
news:9F683870-118D-4068-986F-9BC651ECAF8A@microsoft.com...
> I looked but didn't see this elsewhere so hopefully I'm not making a
repeat
> request.
>
> I've got a 2K enviroment w/SP4 and XP clients most w/SP2.
>
> Is there anyway, using group policy, that I can allow a user to run a
> program that normally would require them to be set up as a local
> administrator?

Not really.

> We have some software, ie Payroll, bank software, that require
> the user to have local adminstrator rights...not to just install but
actually
> run. A few will let me take them down to Power User but there are still a
few
> that will not run unless they are a local admin. I want to be able to take
> away the admin and power user rights and let them return to being a
> restricted user.

Such software should be replaced -- it is incorrectly designed
but the reality may be you cannot do this at this time.

Basicly you need to make the users local administrators of their
own machine (probably.)



--
Herb Martin


>
> Thanks in advance.
Anonymous
December 6, 2004 6:50:58 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Herb Martin" <news@LearnQuick.com> wrote in message
news:uMBwI062EHA.1472@TK2MSFTNGP10.phx.gbl...
>> We have some software, ie Payroll, bank software, that require
>> the user to have local adminstrator rights...not to just install but
> actually
>> run. A few will let me take them down to Power User but there are still a
> few
>> that will not run unless they are a local admin. I want to be able to
>> take
>> away the admin and power user rights and let them return to being a
>> restricted user.
>
> Such software should be replaced -- it is incorrectly designed
> but the reality may be you cannot do this at this time.
>
> Basicly you need to make the users local administrators of their
> own machine (probably.)
>

Or you can give the user account access to the registry keys the software is
trying to access/alter/change. Bu I agree, it would be much easier and more
secure if there's an updated version of the software that will run under the
current operating systems.

--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Related resources
Anonymous
December 7, 2004 4:44:51 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

IIRC, the Application Compatibility Tools have a "fix" that usually can take
care of these kind of probs... Do a search for ACT on
www.microsoft.com/downloads, I know I've used that "feature" a while
back....

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:uMBwI062EHA.1472@TK2MSFTNGP10.phx.gbl...
>>> We have some software, ie Payroll, bank software, that require
>>> the user to have local adminstrator rights...not to just install but
>> actually
>>> run. A few will let me take them down to Power User but there are still
>>> a
>> few
>>> that will not run unless they are a local admin. I want to be able to
>>> take
>>> away the admin and power user rights and let them return to being a
>>> restricted user.
>>
>> Such software should be replaced -- it is incorrectly designed
>> but the reality may be you cannot do this at this time.
>>
>> Basicly you need to make the users local administrators of their
>> own machine (probably.)
>>
>
> Or you can give the user account access to the registry keys the software
> is trying to access/alter/change. Bu I agree, it would be much easier and
> more secure if there's an updated version of the software that will run
> under the current operating systems.
>
> --
> Regards,
> Ace
>
> G O E A G L E S !!!
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
Anonymous
December 7, 2004 4:44:52 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:e%23XIrc$2EHA.1296@TK2MSFTNGP10.phx.gbl,
Jimmy Andersson [MVP] <jimmy_NO_SPAM_@mvps.org> made a post then I commented
below
> IIRC, the Application Compatibility Tools have a "fix" that usually
> can take care of these kind of probs... Do a search for ACT on
> www.microsoft.com/downloads, I know I've used that "feature" a while
> back....
>
> Regards,
> /Jimmy

Thanks, Jimmy. Didn't know this one existed.

Here's the link:
http://www.microsoft.com/downloads/details.aspx?FamilyI...

Ace
Anonymous
December 7, 2004 5:20:12 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...


> Or you can give the user account access to the registry keys the software
is
> trying to access/alter/change. Bu I agree, it would be much easier and
more
> secure if there's an updated version of the software that will run under
the
> current operating systems.
>


This is very difficult to do in practice -- not the act of
granting the access, that's trivial but rather finding which
registry and perhaps file permissions to change.

Anyone wishing to do this will likely need something like
the file and registry monitor tools (free) from SysInternals.com

Maybe even have to monitor system objects or tokens etc.

You basically run these things while using the software and
log what the they touch. You might also have to enable some
complicated registry and file AUDITING scheme to discover
anything you miss (audit for failures of object access -- that's
the easy part.)

Obviously, from the above, I have done this, but it is not fun
usually and not always (immediately) successful.
Anonymous
December 7, 2004 5:21:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@mvps.org> wrote in message
news:e#XIrc$2EHA.1296@TK2MSFTNGP10.phx.gbl...
> IIRC, the Application Compatibility Tools have a "fix" that usually can
take
> care of these kind of probs... Do a search for ACT on
> www.microsoft.com/downloads, I know I've used that "feature" a while
> back....


Now, that's cool. If I knew about these then I had forgotten
them.

Thanks

--
Herb Martin


>
> Regards,
> /Jimmy
> --
> Jimmy Andersson, Q Advice AB
> Microsoft MVP - Directory Services
> ---------- www.qadvice.com ----------
>
>
> "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
> news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:uMBwI062EHA.1472@TK2MSFTNGP10.phx.gbl...
> >>> We have some software, ie Payroll, bank software, that require
> >>> the user to have local adminstrator rights...not to just install but
> >> actually
> >>> run. A few will let me take them down to Power User but there are
still
> >>> a
> >> few
> >>> that will not run unless they are a local admin. I want to be able to
> >>> take
> >>> away the admin and power user rights and let them return to being a
> >>> restricted user.
> >>
> >> Such software should be replaced -- it is incorrectly designed
> >> but the reality may be you cannot do this at this time.
> >>
> >> Basicly you need to make the users local administrators of their
> >> own machine (probably.)
> >>
> >
> > Or you can give the user account access to the registry keys the
software
> > is trying to access/alter/change. Bu I agree, it would be much easier
and
> > more secure if there's an updated version of the software that will run
> > under the current operating systems.
> >
> > --
> > Regards,
> > Ace
> >
> > G O E A G L E S !!!
> > Please direct all replies ONLY to the Microsoft public newsgroups
> > so all can benefit.
> >
> > This posting is provided "AS-IS" with no warranties or guarantees
> > and confers no rights.
> >
> > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> > Microsoft Windows MVP - Windows Server - Directory Services
> >
> > Security Is Like An Onion, It Has Layers
> > HAM AND EGGS: A day's work for a chicken;
> > A lifetime commitment for a pig.
> > --
> > =================================
> >
>
>
Anonymous
December 7, 2004 1:41:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thank you to everyone who responded. I'm going to give the Windows
Application Compatibility Toolkit a try and see what I can do. I wish
something could be done about the software but what we use comes directly
from the bank we do business with and ADP. Any complaints I have just fall on
deaf ears.

"Herb Martin" wrote:

> "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
> news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
>
>
> > Or you can give the user account access to the registry keys the software
> is
> > trying to access/alter/change. Bu I agree, it would be much easier and
> more
> > secure if there's an updated version of the software that will run under
> the
> > current operating systems.
> >
>
>
> This is very difficult to do in practice -- not the act of
> granting the access, that's trivial but rather finding which
> registry and perhaps file permissions to change.
>
> Anyone wishing to do this will likely need something like
> the file and registry monitor tools (free) from SysInternals.com
>
> Maybe even have to monitor system objects or tokens etc.
>
> You basically run these things while using the software and
> log what the they touch. You might also have to enable some
> complicated registry and file AUDITING scheme to discover
> anything you miss (audit for failures of object access -- that's
> the easy part.)
>
> Obviously, from the above, I have done this, but it is not fun
> usually and not always (immediately) successful.
>
>
>
>
Anonymous
December 7, 2004 2:11:03 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

And the file and registry monitor tools (free) from SysInternals.com. Didn't
want to forget that.



"Damone" wrote:

> Thank you to everyone who responded. I'm going to give the Windows
> Application Compatibility Toolkit a try and see what I can do. I wish
> something could be done about the software but what we use comes directly
> from the bank we do business with and ADP. Any complaints I have just fall on
> deaf ears.
>
> "Herb Martin" wrote:
>
> > "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
> > news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
> >
> >
> > > Or you can give the user account access to the registry keys the software
> > is
> > > trying to access/alter/change. Bu I agree, it would be much easier and
> > more
> > > secure if there's an updated version of the software that will run under
> > the
> > > current operating systems.
> > >
> >
> >
> > This is very difficult to do in practice -- not the act of
> > granting the access, that's trivial but rather finding which
> > registry and perhaps file permissions to change.
> >
> > Anyone wishing to do this will likely need something like
> > the file and registry monitor tools (free) from SysInternals.com
> >
> > Maybe even have to monitor system objects or tokens etc.
> >
> > You basically run these things while using the software and
> > log what the they touch. You might also have to enable some
> > complicated registry and file AUDITING scheme to discover
> > anything you miss (audit for failures of object access -- that's
> > the easy part.)
> >
> > Obviously, from the above, I have done this, but it is not fun
> > usually and not always (immediately) successful.
> >
> >
> >
> >
Anonymous
December 7, 2004 5:42:27 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Damone" <Damone@discussions.microsoft.com> wrote in message
news:2D0D7413-B3A6-4B9C-ADD1-51B4680A17B5@microsoft.com...
> And the file and registry monitor tools (free) from SysInternals.com.
Didn't
> want to forget that.
>


There are a LOT of other cool (and mostly free) tools
there too.


--
Herb Martin


>
>
> "Damone" wrote:
>
> > Thank you to everyone who responded. I'm going to give the Windows
> > Application Compatibility Toolkit a try and see what I can do. I wish
> > something could be done about the software but what we use comes
directly
> > from the bank we do business with and ADP. Any complaints I have just
fall on
> > deaf ears.
> >
> > "Herb Martin" wrote:
> >
> > > "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
> > > news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
> > >
> > >
> > > > Or you can give the user account access to the registry keys the
software
> > > is
> > > > trying to access/alter/change. Bu I agree, it would be much easier
and
> > > more
> > > > secure if there's an updated version of the software that will run
under
> > > the
> > > > current operating systems.
> > > >
> > >
> > >
> > > This is very difficult to do in practice -- not the act of
> > > granting the access, that's trivial but rather finding which
> > > registry and perhaps file permissions to change.
> > >
> > > Anyone wishing to do this will likely need something like
> > > the file and registry monitor tools (free) from SysInternals.com
> > >
> > > Maybe even have to monitor system objects or tokens etc.
> > >
> > > You basically run these things while using the software and
> > > log what the they touch. You might also have to enable some
> > > complicated registry and file AUDITING scheme to discover
> > > anything you miss (audit for failures of object access -- that's
> > > the easy part.)
> > >
> > > Obviously, from the above, I have done this, but it is not fun
> > > usually and not always (immediately) successful.
> > >
> > >
> > >
> > >
Anonymous
December 7, 2004 11:30:31 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:uqRgS2J3EHA.2804@TK2MSFTNGP15.phx.gbl,
Herb Martin <news@LearnQuick.com> made a post then I commented below
> "Damone" <Damone@discussions.microsoft.com> wrote in message
> news:2D0D7413-B3A6-4B9C-ADD1-51B4680A17B5@microsoft.com...
>> And the file and registry monitor tools (free) from
>> SysInternals.com. Didn't want to forget that.
>>
>
>
> There are a LOT of other cool (and mostly free) tools
> there too.
>

There's a tool called ART (Adv Reg Tracer), that will show you what registry
settings are attempting to be modified or accessed by the app. Of course,
one needs to be logged in to the machine as an admin or Power User to allow
the changes so this picks it up. There are other tools in the link below as
well, that can be used.

http://www.softlandmark.com/Registry.htm

But I would try the Application Compatibility tool first.

Ace
!