How to grant an app Admin privaleges?

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have three apps that users are required to use that must have local
administrator access to run. I'm not sure what they need admin access
for yet but they certainly won't run without it.

I have a reluctance to grant every user that runs these apps local
admin access (especially with all the sypware out there now.)

I've tried RUN AS but that doesn't grant enough privaleges apparently
as they won't run under "Run As".

Is there a way I can grant admin access to ONLY the application(s) and
not the users in general? I can't count the hours I've spent trying to
remove spyware and dopy apps some of these users d/l or bring in from
home.

-Fran-
3 answers Last reply
More about grant admin privaleges
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    There is no native way to do such. Windows XP Pro can use Software
    Restriction Policies to restrict what applications a user can install or
    run - even the local administrator. Otherwise you can try to get the
    application to work as a regular user by modifying ntfs and registry
    permissions though that will not always work if administrator access is
    required that can not be given to a regular user through changing
    ntfs/registry permissions or user rights. If the application will work when
    the user is a power user then it is possible for sure. The main areas to
    check are the application folder in program files, any application subfolder
    in program files\common files, and application subfolder in the documents
    and settings\all users\application data folder, and for the application
    folder registry key in hklm\software. You would want to give users write or
    possibly modify permissions to those locations.

    Beyond that you can use the free tools from SysInternals called filemon and
    regmon to try and track down "access denied" log entries for a regular user
    when the application is run. Since their may be multiple places where
    permissions need to be modified you would have to continue to run
    filemon/regmon in a trial end error basis after making permission changes to
    allow a user access to the file or registry key where they were denied
    access until no more access denied log entries are found. To be able to do
    this you need to logon as a regular user, execute filemon or regmon via
    runas with admin credentials just before you try to run the application, and
    stop logging of filemon/regmon as soon as the application fails and view
    the logs for access denied. The log can contain thousands of entries but you
    will learn to scan them fairly fast. It may also be helpful to enable
    auditing of object access and privilege use for failure to see if entries
    are recorded in the security log that may also prove helpful. A failure of a
    privilege use mean the user does not have the user right as shown in Local
    Security Policy. --- Steve

    http://www.sysinternals.com/ntw2k/source/filemon.shtml

    "Fran >" <<fran> wrote in message
    news:2hpv11doudsd3mcmh1aacqr54rjns10c8n@4ax.com...
    >I have three apps that users are required to use that must have local
    > administrator access to run. I'm not sure what they need admin access
    > for yet but they certainly won't run without it.
    >
    > I have a reluctance to grant every user that runs these apps local
    > admin access (especially with all the sypware out there now.)
    >
    > I've tried RUN AS but that doesn't grant enough privaleges apparently
    > as they won't run under "Run As".
    >
    > Is there a way I can grant admin access to ONLY the application(s) and
    > not the users in general? I can't count the hours I've spent trying to
    > remove spyware and dopy apps some of these users d/l or bring in from
    > home.
    >
    > -Fran-
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks, Steve. I grabbed the tools. Yes, there is a bit of info
    captured by them!

    I will begin running tests real time on Monday. I appreciate your
    help. Do I use RegEdit to change permission to key(s) so the program
    can write to them? Is that how that works?

    Also, is there a way I can assign any of this through a group policy
    or will I have to do this for EVERY user on the LAN that uses these
    apps?

    -Fran-
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Yes you can use regedt32 or regedit to change permissions to a registry key
    similar to the way to change folder permissions. You can apply registry and
    file permissions via Group Policy. If you go to computer
    configuration/Windows settings/security settings - registry and/or file
    system. If you try to create a new entry that is not on the computer where
    you are configuring the policy you can simply enter the file or registry
    path. I suggest doing this ONLY at the organizational unit level so as to
    not affect domain controllers and other servers. If you do try such, test it
    out on a few computers that you place in the OU where you configure file
    system and/or registry settings before you roll it out on a larger scale.
    Also note that if you remove file system/registry settings the changes that
    they implemented stay in place on the computers that they were applied
    o. --- Steve


    "Fran >" <<fran> wrote in message
    news:6k12211e0785d6chumtsjc9amaphe7v427@4ax.com...
    > Thanks, Steve. I grabbed the tools. Yes, there is a bit of info
    > captured by them!
    >
    > I will begin running tests real time on Monday. I appreciate your
    > help. Do I use RegEdit to change permission to key(s) so the program
    > can write to them? Is that how that works?
    >
    > Also, is there a way I can assign any of this through a group policy
    > or will I have to do this for EVERY user on the LAN that uses these
    > apps?
    >
    > -Fran-
Ask a new question

Read More

Apps Windows