Group Policy to administrator local rights

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I help manage a network of over 100 clients, most running Windows XP, some
on earlier OS'es. We use Active Directory on a Windows 2003 Server. There
are a few business applications that we run that require full administrative
access to a few local computer files in order to run. Just one example is
our AS/400 interface program. The .exe crashes if you try to run the
program while logged on as a basic user. However, if logged on as
administrator, it runs fine. We've also found that giving full access to
the "Program Files" folder to all users of the machine allows this program
(and others) to run without a hitch.

My question is, do I have to give priveledges on each local machine for the
"Program Files" folder so that I don't have to make everyone local
administrators? Or is there a way to do this through group policy? I have
figured out how to restrict programs, what I want to do is allow them to run
unrestricted. By the way, I have tried using software exception path rules,
setting the value to unrestricted, but this doesn't seem to work. The rule
states "unrestricted = rights depend on the user rights" which is why it's
still not working (they are still logged in as users, not administrators).

Thanks for any advice,
Ryan
1 answer Last reply
More about group policy administrator local rights
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You can set the permissions on that folder using GPO, using the computer
    configuration\ file system policy setting.

    The problems that you're encountering are due to the fact that the newer OS'
    (NT5.x) have somewhat tighter permissions on the \WinNT, \Windows, \Program
    Files and HKLM hive. There are a number of ways round this. You've found
    one. Another is to use something like regmon to find out exactly what keys
    are being used and modify the permissions on those. Another is to use the
    compatws.inf security template.

    However, if lax'n the permissions on \Program Files works then go for it.
    The File System policy settings should make this a breeze. If not, you can
    use calcs to do this via a batch file...

    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "Ryan Langton" <ryan@ryanlangton.com> wrote in message
    news:l2UId.3517$IJ5.3002@okepread02...
    I help manage a network of over 100 clients, most running Windows XP, some
    on earlier OS'es. We use Active Directory on a Windows 2003 Server. There
    are a few business applications that we run that require full administrative
    access to a few local computer files in order to run. Just one example is
    our AS/400 interface program. The .exe crashes if you try to run the
    program while logged on as a basic user. However, if logged on as
    administrator, it runs fine. We've also found that giving full access to
    the "Program Files" folder to all users of the machine allows this program
    (and others) to run without a hitch.

    My question is, do I have to give priveledges on each local machine for the
    "Program Files" folder so that I don't have to make everyone local
    administrators? Or is there a way to do this through group policy? I have
    figured out how to restrict programs, what I want to do is allow them to run
    unrestricted. By the way, I have tried using software exception path rules,
    setting the value to unrestricted, but this doesn't seem to work. The rule
    states "unrestricted = rights depend on the user rights" which is why it's
    still not working (they are still logged in as users, not administrators).

    Thanks for any advice,
    Ryan
Ask a new question

Read More

Windows Server 2003 Active Directory Windows