Sign in with
Sign up | Sign in
Your question

allow users to run application

Last response: in Windows 2000/NT
Share
February 19, 2005 7:53:02 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a bunch of application that needs admin rights to run. They will be
installed locally to the user PC is their away I can create a policy to allow
the domain user to run these programs without giving them admin rights to the
PC?

It would be great to have a domain wide policy but we could do local policy
if need be. I realy don't want to have them do a run as.

It is a xp on 2003 enviroment.

Thank you for any help.

More about : users run application

Anonymous
February 19, 2005 8:06:11 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"=?Utf-8?B?UGF1bA==?=" <Paul@discussions.microsoft.com> said

> I have a bunch of application that needs admin rights to run. They will
> be installed locally to the user PC is their away I can create a policy
> to allow the domain user to run these programs without giving them admin
> rights to the PC?
>

Use regmon and filemon from www.sysinternals.com when the app is running
under a normal user account to find out what the app is trying to access that
is being denied.
You can then use a combination of file/folder permissions (set via a startup
script assigned through a GPO) and registry permissions (set directly via a
GPO) to allow the applicatin to run.

--

Andy.
Anonymous
February 19, 2005 4:04:27 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Andrew gives great advice on tracking down permissions problems. Usually you
will find users denied access to the application folder in program files,
the application subfolder in program files\common files, the application
subfolder folder in the all users profiles\application data folder, or the
HKLM\software folder for the application. It is not always possible to solve
the problem with permission changes. If the user can run the application as
a power user then it should be able to be solved with modifying permissions.

If all that fails and since the clients are XP Pro you can use Software
Restriction Policies to restrict what application a domain user runs and
installs on their domain computer. This also can apply to local
administrators via the enforcement rule [except for safe mode]. Of course a
local administrator could always unjoin a computer from the domain to avoid
any domain policy assuming they know that they are an administrator, that
they know how, and would take the risk based on consequences in your user
computer use policy. The link below explains SRP more. You will probably
find that using hash and path rules will do what you want and check all the
files that are considered applications for SRP as admins usually get tripped
up not realizing that shortcuts are considered applications by default. ---
Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/m...
--- SRP.

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:FE93CB2D-A852-4991-AE45-41C36E1A9EE6@microsoft.com...
>I have a bunch of application that needs admin rights to run. They will be
> installed locally to the user PC is their away I can create a policy to
> allow
> the domain user to run these programs without giving them admin rights to
> the
> PC?
>
> It would be great to have a domain wide policy but we could do local
> policy
> if need be. I realy don't want to have them do a run as.
>
> It is a xp on 2003 enviroment.
>
> Thank you for any help.
Related resources
Anonymous
February 21, 2005 4:07:41 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Another posssibility is to apply the compatws security template - use the
Security and Configuration Analysis mmc Snap-in. This changes the security
on variuos things that are often required so that users can run "not well
behaved" programs.

I also suggest contacting the program's vendor and suggest they modify their
application to follow the generic rules for Windows based applications so
customers don't have this problem.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ewtqQXrFFHA.3492@TK2MSFTNGP12.phx.gbl...
> Andrew gives great advice on tracking down permissions problems. Usually
> you will find users denied access to the application folder in program
> files, the application subfolder in program files\common files, the
> application subfolder folder in the all users profiles\application data
> folder, or the HKLM\software folder for the application. It is not always
> possible to solve the problem with permission changes. If the user can run
> the application as a power user then it should be able to be solved with
> modifying permissions.
>
> If all that fails and since the clients are XP Pro you can use Software
> Restriction Policies to restrict what application a domain user runs and
> installs on their domain computer. This also can apply to local
> administrators via the enforcement rule [except for safe mode]. Of course
> a local administrator could always unjoin a computer from the domain to
> avoid any domain policy assuming they know that they are an administrator,
> that they know how, and would take the risk based on consequences in your
> user computer use policy. The link below explains SRP more. You will
> probably find that using hash and path rules will do what you want and
> check all the files that are considered applications for SRP as admins
> usually get tripped up not realizing that shortcuts are considered
> applications by default. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/m... -
> -- SRP.
>
> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news:FE93CB2D-A852-4991-AE45-41C36E1A9EE6@microsoft.com...
>>I have a bunch of application that needs admin rights to run. They will be
>> installed locally to the user PC is their away I can create a policy to
>> allow
>> the domain user to run these programs without giving them admin rights to
>> the
>> PC?
>>
>> It would be great to have a domain wide policy but we could do local
>> policy
>> if need be. I realy don't want to have them do a run as.
>>
>> It is a xp on 2003 enviroment.
>>
>> Thank you for any help.
>
>
Anonymous
February 21, 2005 4:25:16 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

In additions to Andrew's and Steven's great answers, you can also use the
Application Compatibility Toolkit to find out what the application tries to
do.

http://www.microsoft.com/windows/appcompatibility/defau...

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ewtqQXrFFHA.3492@TK2MSFTNGP12.phx.gbl...
> Andrew gives great advice on tracking down permissions problems. Usually
> you will find users denied access to the application folder in program
> files, the application subfolder in program files\common files, the
> application subfolder folder in the all users profiles\application data
> folder, or the HKLM\software folder for the application. It is not always
> possible to solve the problem with permission changes. If the user can run
> the application as a power user then it should be able to be solved with
> modifying permissions.
>
> If all that fails and since the clients are XP Pro you can use Software
> Restriction Policies to restrict what application a domain user runs and
> installs on their domain computer. This also can apply to local
> administrators via the enforcement rule [except for safe mode]. Of course
> a local administrator could always unjoin a computer from the domain to
> avoid any domain policy assuming they know that they are an administrator,
> that they know how, and would take the risk based on consequences in your
> user computer use policy. The link below explains SRP more. You will
> probably find that using hash and path rules will do what you want and
> check all the files that are considered applications for SRP as admins
> usually get tripped up not realizing that shortcuts are considered
> applications by default. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/m... -
> -- SRP.
>
> "Paul" <Paul@discussions.microsoft.com> wrote in message
> news:FE93CB2D-A852-4991-AE45-41C36E1A9EE6@microsoft.com...
>>I have a bunch of application that needs admin rights to run. They will be
>> installed locally to the user PC is their away I can create a policy to
>> allow
>> the domain user to run these programs without giving them admin rights to
>> the
>> PC?
>>
>> It would be great to have a domain wide policy but we could do local
>> policy
>> if need be. I realy don't want to have them do a run as.
>>
>> It is a xp on 2003 enviroment.
>>
>> Thank you for any help.
>
>
Anonymous
February 22, 2005 2:12:35 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That certainly can work but the thing I don't like about it is that it will
give users write access to places like the system folder, though it is a
better option that making the user a power user. Often a few tweaks will
allow an application to work if the user is lucky. --- Steve


"Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
news:o 3FiilFGFHA.128@TK2MSFTNGP14.phx.gbl...
> Another posssibility is to apply the compatws security template - use the
> Security and Configuration Analysis mmc Snap-in. This changes the
> security on variuos things that are often required so that users can run
> "not well behaved" programs.
>
> I also suggest contacting the program's vendor and suggest they modify
> their application to follow the generic rules for Windows based
> applications so customers don't have this problem.
>
> --
> Bruce Sanderson MVP
>
> It's perfectly useless to know the right answer to the wrong question.
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:ewtqQXrFFHA.3492@TK2MSFTNGP12.phx.gbl...
>> Andrew gives great advice on tracking down permissions problems. Usually
>> you will find users denied access to the application folder in program
>> files, the application subfolder in program files\common files, the
>> application subfolder folder in the all users profiles\application data
>> folder, or the HKLM\software folder for the application. It is not always
>> possible to solve the problem with permission changes. If the user can
>> run the application as a power user then it should be able to be solved
>> with modifying permissions.
>>
>> If all that fails and since the clients are XP Pro you can use Software
>> Restriction Policies to restrict what application a domain user runs and
>> installs on their domain computer. This also can apply to local
>> administrators via the enforcement rule [except for safe mode]. Of course
>> a local administrator could always unjoin a computer from the domain to
>> avoid any domain policy assuming they know that they are an
>> administrator, that they know how, and would take the risk based on
>> consequences in your user computer use policy. The link below explains
>> SRP more. You will probably find that using hash and path rules will do
>> what you want and check all the files that are considered applications
>> for SRP as admins usually get tripped up not realizing that shortcuts are
>> considered applications by default. --- Steve
>>
>> http://www.microsoft.com/technet/prodtechnol/winxppro/m... -
>> -- SRP.
>>
>> "Paul" <Paul@discussions.microsoft.com> wrote in message
>> news:FE93CB2D-A852-4991-AE45-41C36E1A9EE6@microsoft.com...
>>>I have a bunch of application that needs admin rights to run. They will
>>>be
>>> installed locally to the user PC is their away I can create a policy to
>>> allow
>>> the domain user to run these programs without giving them admin rights
>>> to the
>>> PC?
>>>
>>> It would be great to have a domain wide policy but we could do local
>>> policy
>>> if need be. I realy don't want to have them do a run as.
>>>
>>> It is a xp on 2003 enviroment.
>>>
>>> Thank you for any help.
>>
>>
>
>
!