Sign in with
Sign up | Sign in
Your question

Grant Application Access with a GPO

Last response: in Windows 2000/NT
Share
Anonymous
January 19, 2005 2:43:05 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a program that needs to run on all of the client computers on my
network. .

The problem is that the software will only run if the Domain User account is
setup as an Administrator on the client machine. This I do not like.

I was wondering if I can grant the required access to the program with GPO.
I found in Group Policy\User Configuration\Admin Templates\Run only allowed
Windows applications. This is the only thing I can find that has to do with
giving program access, but does not appear to be what I need.

Also, it is an older application the does not use Windows Installer, so I
don’t think I can use the Software Installation function. Or can I?

Can this be done with a GPO, or by any other method?
I am kind of at a loss on what to do here, so any suggestions would be great.

Thanks,
stikfa
Anonymous
January 20, 2005 1:13:11 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am sure that this is not true. Err, meaning that the domain user account
object needing to be a member of the Local Administrators group. Generally
the application needs to have access to certain areas of the registry and to
certain directories during installation. Obviously, when the user account
object is a member of the default Local Users group there are not enough
permissions / rights. Probably the same for Local Power Users group.

You can go to http://www.sysinternals.com and look at filemon and regmon.
Follow the instructions and you will find out just exactly what is causing
the problem(s). The solution should be easy from there.

And I am sure that the application simply needs these rights / permissions
during the installation - not actually to be used!

And, I think that you might be looking at the Software Restriction
backwards.

To use GPO to install software you need an .msi file. If one does not come
natively then you would need to create one. There are many third party
applications that can do this. One free software app that can do this comes
with WIN2000 Server. It is called WinInstall Lite. You might want to look
into this....

I would use filemon and regmon to solve this, though. It might be a bit
involved but once you do it a couple of times it gets easier and easier!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Stikfa" <Stikfa@discussions.microsoft.com> wrote in message
news:493FB6AD-CC35-47B8-A9A2-50CCA85102A5@microsoft.com...
>I have a program that needs to run on all of the client computers on my
> network. .
>
> The problem is that the software will only run if the Domain User account
> is
> setup as an Administrator on the client machine. This I do not like.
>
> I was wondering if I can grant the required access to the program with
> GPO.
> I found in Group Policy\User Configuration\Admin Templates\Run only
> allowed
> Windows applications. This is the only thing I can find that has to do
> with
> giving program access, but does not appear to be what I need.
>
> Also, it is an older application the does not use Windows Installer, so I
> don't think I can use the Software Installation function. Or can I?
>
> Can this be done with a GPO, or by any other method?
> I am kind of at a loss on what to do here, so any suggestions would be
> great.
>
> Thanks,
> stikfa
>
>
Anonymous
January 22, 2005 4:30:20 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

>The problem is that the software will only run if the Domain User
>account is setup as an Administrator on the client machine. This I do
>not like.

I have hundreds of pieces of software I have tweaked to run under a
read-only machine. My users have no write access except to their
HomeDrive on the server.

I use inctrl5 to find out what reg keys and what specific files need
access and then I give write access to only those keys and files.
Works fine so far. Even got AutoCad 2004 full version to run under a
read-only account and they said that I couldn’t do it.

http://www.sd61.bc.ca/windows2000/downloads/inctrl5.zip

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Grant-Applica...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=783189
!