Group Policy to administrator local rights

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I help manage a network of over 100 clients, most running Windows XP, some
on earlier OS'es. We use Active Directory on a Windows 2003 Server. There
are a few business applications that we run that require full administrative
access to a few local computer files in order to run. Just one example is
our AS/400 interface program. The .exe crashes if you try to run the
program while logged on as a basic user. However, if logged on as
administrator, it runs fine. We've also found that giving full access to
the "Program Files" folder to all users of the machine allows this program
(and others) to run without a hitch.

My question is, do I have to give priveledges on each local machine for the
"Program Files" folder so that I don't have to make everyone local
administrators? Or is there a way to do this through group policy? I have
figured out how to restrict programs, what I want to do is allow them to run
unrestricted. By the way, I have tried using software exception path rules,
setting the value to unrestricted, but this doesn't seem to work. The rule
states "unrestricted = rights depend on the user rights" which is why it's
still not working (they are still logged in as users, not administrators).

Thanks for any advice,
Ryan

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You can set the permissions on that folder using GPO, using the computer
configuration\ file system policy setting.

The problems that you're encountering are due to the fact that the newer OS'
(NT5.x) have somewhat tighter permissions on the \WinNT, \Windows, \Program
Files and HKLM hive. There are a number of ways round this. You've found
one. Another is to use something like regmon to find out exactly what keys
are being used and modify the permissions on those. Another is to use the
compatws.inf security template.

However, if lax'n the permissions on \Program Files works then go for it.
The File System policy settings should make this a breeze. If not, you can
use calcs to do this via a batch file...

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"Ryan Langton" <ryan@ryanlangton.com> wrote in message
news:l2UId.3517$IJ5.3002@okepread02...
I help manage a network of over 100 clients, most running Windows XP, some
on earlier OS'es. We use Active Directory on a Windows 2003 Server. There
are a few business applications that we run that require full administrative
access to a few local computer files in order to run. Just one example is
our AS/400 interface program. The .exe crashes if you try to run the
program while logged on as a basic user. However, if logged on as
administrator, it runs fine. We've also found that giving full access to
the "Program Files" folder to all users of the machine allows this program
(and others) to run without a hitch.

My question is, do I have to give priveledges on each local machine for the
"Program Files" folder so that I don't have to make everyone local
administrators? Or is there a way to do this through group policy? I have
figured out how to restrict programs, what I want to do is allow them to run
unrestricted. By the way, I have tried using software exception path rules,
setting the value to unrestricted, but this doesn't seem to work. The rule
states "unrestricted = rights depend on the user rights" which is why it's
still not working (they are still logged in as users, not administrators).

Thanks for any advice,
Ryan