Group Policy to allow user to run program without bring lo..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I looked but didn't see this elsewhere so hopefully I'm not making a repeat
request.

I've got a 2K enviroment w/SP4 and XP clients most w/SP2.

Is there anyway, using group policy, that I can allow a user to run a
program that normally would require them to be set up as a local
administrator? We have some software, ie Payroll, bank software, that require
the user to have local adminstrator rights...not to just install but actually
run. A few will let me take them down to Power User but there are still a few
that will not run unless they are a local admin. I want to be able to take
away the admin and power user rights and let them return to being a
restricted user.

Thanks in advance.
10 answers Last reply
More about group policy user program bring
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Damone" <Damone@discussions.microsoft.com> wrote in message
    news:9F683870-118D-4068-986F-9BC651ECAF8A@microsoft.com...
    > I looked but didn't see this elsewhere so hopefully I'm not making a
    repeat
    > request.
    >
    > I've got a 2K enviroment w/SP4 and XP clients most w/SP2.
    >
    > Is there anyway, using group policy, that I can allow a user to run a
    > program that normally would require them to be set up as a local
    > administrator?

    Not really.

    > We have some software, ie Payroll, bank software, that require
    > the user to have local adminstrator rights...not to just install but
    actually
    > run. A few will let me take them down to Power User but there are still a
    few
    > that will not run unless they are a local admin. I want to be able to take
    > away the admin and power user rights and let them return to being a
    > restricted user.

    Such software should be replaced -- it is incorrectly designed
    but the reality may be you cannot do this at this time.

    Basicly you need to make the users local administrators of their
    own machine (probably.)


    --
    Herb Martin


    >
    > Thanks in advance.
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Herb Martin" <news@LearnQuick.com> wrote in message
    news:uMBwI062EHA.1472@TK2MSFTNGP10.phx.gbl...
    >> We have some software, ie Payroll, bank software, that require
    >> the user to have local adminstrator rights...not to just install but
    > actually
    >> run. A few will let me take them down to Power User but there are still a
    > few
    >> that will not run unless they are a local admin. I want to be able to
    >> take
    >> away the admin and power user rights and let them return to being a
    >> restricted user.
    >
    > Such software should be replaced -- it is incorrectly designed
    > but the reality may be you cannot do this at this time.
    >
    > Basicly you need to make the users local administrators of their
    > own machine (probably.)
    >

    Or you can give the user account access to the registry keys the software is
    trying to access/alter/change. Bu I agree, it would be much easier and more
    secure if there's an updated version of the software that will run under the
    current operating systems.

    --
    Regards,
    Ace

    G O E A G L E S !!!
    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
    --
    =================================
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    IIRC, the Application Compatibility Tools have a "fix" that usually can take
    care of these kind of probs... Do a search for ACT on
    www.microsoft.com/downloads, I know I've used that "feature" a while
    back....

    Regards,
    /Jimmy
    --
    Jimmy Andersson, Q Advice AB
    Microsoft MVP - Directory Services
    ---------- www.qadvice.com ----------


    "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
    news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
    >
    > "Herb Martin" <news@LearnQuick.com> wrote in message
    > news:uMBwI062EHA.1472@TK2MSFTNGP10.phx.gbl...
    >>> We have some software, ie Payroll, bank software, that require
    >>> the user to have local adminstrator rights...not to just install but
    >> actually
    >>> run. A few will let me take them down to Power User but there are still
    >>> a
    >> few
    >>> that will not run unless they are a local admin. I want to be able to
    >>> take
    >>> away the admin and power user rights and let them return to being a
    >>> restricted user.
    >>
    >> Such software should be replaced -- it is incorrectly designed
    >> but the reality may be you cannot do this at this time.
    >>
    >> Basicly you need to make the users local administrators of their
    >> own machine (probably.)
    >>
    >
    > Or you can give the user account access to the registry keys the software
    > is trying to access/alter/change. Bu I agree, it would be much easier and
    > more secure if there's an updated version of the software that will run
    > under the current operating systems.
    >
    > --
    > Regards,
    > Ace
    >
    > G O E A G L E S !!!
    > Please direct all replies ONLY to the Microsoft public newsgroups
    > so all can benefit.
    >
    > This posting is provided "AS-IS" with no warranties or guarantees
    > and confers no rights.
    >
    > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > Microsoft Windows MVP - Windows Server - Directory Services
    >
    > Security Is Like An Onion, It Has Layers
    > HAM AND EGGS: A day's work for a chicken;
    > A lifetime commitment for a pig.
    > --
    > =================================
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:e%23XIrc$2EHA.1296@TK2MSFTNGP10.phx.gbl,
    Jimmy Andersson [MVP] <jimmy_NO_SPAM_@mvps.org> made a post then I commented
    below
    > IIRC, the Application Compatibility Tools have a "fix" that usually
    > can take care of these kind of probs... Do a search for ACT on
    > www.microsoft.com/downloads, I know I've used that "feature" a while
    > back....
    >
    > Regards,
    > /Jimmy

    Thanks, Jimmy. Didn't know this one existed.

    Here's the link:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7fc46855-b8a4-46cd-a236-3159970fde94&DisplayLang=en

    Ace
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
    news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...


    > Or you can give the user account access to the registry keys the software
    is
    > trying to access/alter/change. Bu I agree, it would be much easier and
    more
    > secure if there's an updated version of the software that will run under
    the
    > current operating systems.
    >


    This is very difficult to do in practice -- not the act of
    granting the access, that's trivial but rather finding which
    registry and perhaps file permissions to change.

    Anyone wishing to do this will likely need something like
    the file and registry monitor tools (free) from SysInternals.com

    Maybe even have to monitor system objects or tokens etc.

    You basically run these things while using the software and
    log what the they touch. You might also have to enable some
    complicated registry and file AUDITING scheme to discover
    anything you miss (audit for failures of object access -- that's
    the easy part.)

    Obviously, from the above, I have done this, but it is not fun
    usually and not always (immediately) successful.
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@mvps.org> wrote in message
    news:e#XIrc$2EHA.1296@TK2MSFTNGP10.phx.gbl...
    > IIRC, the Application Compatibility Tools have a "fix" that usually can
    take
    > care of these kind of probs... Do a search for ACT on
    > www.microsoft.com/downloads, I know I've used that "feature" a while
    > back....


    Now, that's cool. If I knew about these then I had forgotten
    them.

    Thanks

    --
    Herb Martin


    >
    > Regards,
    > /Jimmy
    > --
    > Jimmy Andersson, Q Advice AB
    > Microsoft MVP - Directory Services
    > ---------- www.qadvice.com ----------
    >
    >
    > "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
    > news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
    > >
    > > "Herb Martin" <news@LearnQuick.com> wrote in message
    > > news:uMBwI062EHA.1472@TK2MSFTNGP10.phx.gbl...
    > >>> We have some software, ie Payroll, bank software, that require
    > >>> the user to have local adminstrator rights...not to just install but
    > >> actually
    > >>> run. A few will let me take them down to Power User but there are
    still
    > >>> a
    > >> few
    > >>> that will not run unless they are a local admin. I want to be able to
    > >>> take
    > >>> away the admin and power user rights and let them return to being a
    > >>> restricted user.
    > >>
    > >> Such software should be replaced -- it is incorrectly designed
    > >> but the reality may be you cannot do this at this time.
    > >>
    > >> Basicly you need to make the users local administrators of their
    > >> own machine (probably.)
    > >>
    > >
    > > Or you can give the user account access to the registry keys the
    software
    > > is trying to access/alter/change. Bu I agree, it would be much easier
    and
    > > more secure if there's an updated version of the software that will run
    > > under the current operating systems.
    > >
    > > --
    > > Regards,
    > > Ace
    > >
    > > G O E A G L E S !!!
    > > Please direct all replies ONLY to the Microsoft public newsgroups
    > > so all can benefit.
    > >
    > > This posting is provided "AS-IS" with no warranties or guarantees
    > > and confers no rights.
    > >
    > > Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    > > Microsoft Windows MVP - Windows Server - Directory Services
    > >
    > > Security Is Like An Onion, It Has Layers
    > > HAM AND EGGS: A day's work for a chicken;
    > > A lifetime commitment for a pig.
    > > --
    > > =================================
    > >
    >
    >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Thank you to everyone who responded. I'm going to give the Windows
    Application Compatibility Toolkit a try and see what I can do. I wish
    something could be done about the software but what we use comes directly
    from the bank we do business with and ADP. Any complaints I have just fall on
    deaf ears.

    "Herb Martin" wrote:

    > "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
    > news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
    >
    >
    > > Or you can give the user account access to the registry keys the software
    > is
    > > trying to access/alter/change. Bu I agree, it would be much easier and
    > more
    > > secure if there's an updated version of the software that will run under
    > the
    > > current operating systems.
    > >
    >
    >
    > This is very difficult to do in practice -- not the act of
    > granting the access, that's trivial but rather finding which
    > registry and perhaps file permissions to change.
    >
    > Anyone wishing to do this will likely need something like
    > the file and registry monitor tools (free) from SysInternals.com
    >
    > Maybe even have to monitor system objects or tokens etc.
    >
    > You basically run these things while using the software and
    > log what the they touch. You might also have to enable some
    > complicated registry and file AUDITING scheme to discover
    > anything you miss (audit for failures of object access -- that's
    > the easy part.)
    >
    > Obviously, from the above, I have done this, but it is not fun
    > usually and not always (immediately) successful.
    >
    >
    >
    >
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    And the file and registry monitor tools (free) from SysInternals.com. Didn't
    want to forget that.


    "Damone" wrote:

    > Thank you to everyone who responded. I'm going to give the Windows
    > Application Compatibility Toolkit a try and see what I can do. I wish
    > something could be done about the software but what we use comes directly
    > from the bank we do business with and ADP. Any complaints I have just fall on
    > deaf ears.
    >
    > "Herb Martin" wrote:
    >
    > > "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
    > > news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
    > >
    > >
    > > > Or you can give the user account access to the registry keys the software
    > > is
    > > > trying to access/alter/change. Bu I agree, it would be much easier and
    > > more
    > > > secure if there's an updated version of the software that will run under
    > > the
    > > > current operating systems.
    > > >
    > >
    > >
    > > This is very difficult to do in practice -- not the act of
    > > granting the access, that's trivial but rather finding which
    > > registry and perhaps file permissions to change.
    > >
    > > Anyone wishing to do this will likely need something like
    > > the file and registry monitor tools (free) from SysInternals.com
    > >
    > > Maybe even have to monitor system objects or tokens etc.
    > >
    > > You basically run these things while using the software and
    > > log what the they touch. You might also have to enable some
    > > complicated registry and file AUDITING scheme to discover
    > > anything you miss (audit for failures of object access -- that's
    > > the easy part.)
    > >
    > > Obviously, from the above, I have done this, but it is not fun
    > > usually and not always (immediately) successful.
    > >
    > >
    > >
    > >
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Damone" <Damone@discussions.microsoft.com> wrote in message
    news:2D0D7413-B3A6-4B9C-ADD1-51B4680A17B5@microsoft.com...
    > And the file and registry monitor tools (free) from SysInternals.com.
    Didn't
    > want to forget that.
    >


    There are a LOT of other cool (and mostly free) tools
    there too.


    --
    Herb Martin


    >
    >
    > "Damone" wrote:
    >
    > > Thank you to everyone who responded. I'm going to give the Windows
    > > Application Compatibility Toolkit a try and see what I can do. I wish
    > > something could be done about the software but what we use comes
    directly
    > > from the bank we do business with and ADP. Any complaints I have just
    fall on
    > > deaf ears.
    > >
    > > "Herb Martin" wrote:
    > >
    > > > "Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
    > > > news:ux$N$U92EHA.2572@tk2msftngp13.phx.gbl...
    > > >
    > > >
    > > > > Or you can give the user account access to the registry keys the
    software
    > > > is
    > > > > trying to access/alter/change. Bu I agree, it would be much easier
    and
    > > > more
    > > > > secure if there's an updated version of the software that will run
    under
    > > > the
    > > > > current operating systems.
    > > > >
    > > >
    > > >
    > > > This is very difficult to do in practice -- not the act of
    > > > granting the access, that's trivial but rather finding which
    > > > registry and perhaps file permissions to change.
    > > >
    > > > Anyone wishing to do this will likely need something like
    > > > the file and registry monitor tools (free) from SysInternals.com
    > > >
    > > > Maybe even have to monitor system objects or tokens etc.
    > > >
    > > > You basically run these things while using the software and
    > > > log what the they touch. You might also have to enable some
    > > > complicated registry and file AUDITING scheme to discover
    > > > anything you miss (audit for failures of object access -- that's
    > > > the easy part.)
    > > >
    > > > Obviously, from the above, I have done this, but it is not fun
    > > > usually and not always (immediately) successful.
    > > >
    > > >
    > > >
    > > >
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    In news:uqRgS2J3EHA.2804@TK2MSFTNGP15.phx.gbl,
    Herb Martin <news@LearnQuick.com> made a post then I commented below
    > "Damone" <Damone@discussions.microsoft.com> wrote in message
    > news:2D0D7413-B3A6-4B9C-ADD1-51B4680A17B5@microsoft.com...
    >> And the file and registry monitor tools (free) from
    >> SysInternals.com. Didn't want to forget that.
    >>
    >
    >
    > There are a LOT of other cool (and mostly free) tools
    > there too.
    >

    There's a tool called ART (Adv Reg Tracer), that will show you what registry
    settings are attempting to be modified or accessed by the app. Of course,
    one needs to be logged in to the machine as an admin or Power User to allow
    the changes so this picks it up. There are other tools in the link below as
    well, that can be used.

    http://www.softlandmark.com/Registry.htm

    But I would try the Application Compatibility tool first.

    Ace
Ask a new question

Read More

Policy Active Directory Windows