Programs that need admin rights, but user shouldn't have t..

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have several programs that users need to run. These programs require the
user to have local machine and domain local admin rights. I have noticed
that they are now able to bypass alot of the GPO settings because of their
admin rights. Is there a setting in the GPO's that will make the GPO's
apply to them as well. I want these users to be as restricted in what they
can do as everyone else.

chris
5 answers Last reply
More about programs admin rights user shouldn
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    1. complain to the application vendor that their application is not "well
    behaved" and they should modify it so it doesn't need "Administrator"
    privileges.

    2. in many such cases, applications only need the ability to modify files in
    some folders that "Users" are not permitted by default to change. For
    example, many "ill behaved" applications insist on storing data or
    configuration information in their Program Files folder. In these cases, if
    you grant Users "Modify" permission to those folders, they will no longer
    need to be "Administrators" to run the application.

    3. the Security Template called "compatws" selectively modifies permissions
    on some folders and registry entries in such a way the "ill behaved"
    applications can run with only User privileges. You apply Security
    Templates using the "Security Configuration and Analysis" MMC snap-in.

    4. in some cases, the application's installation process will allow you to
    specify where data and configuration files are to go. If you specify a
    location that Users can Modify, they won't need to be Administrators to run
    the application.

    5. in some cases, the application's configuration files or registry entries
    can be modified to specify that data files are to be stored in a location
    other than the default. If this is the case, you can move the data files to
    a location that Users can modify. You may have to contact the vendor or do
    some investigation (using a tool like regmon or filemon from System
    Internals) to find out if this is practical.

    If none of the above is useful:

    6. some settings made via GPOs can not be overriden by anyone that is an
    Administrator on the computer (e.g. some of the Windows XP Firewall
    settings), but others CAN be overriden by a local administrator. There is
    not much you can do about this except not make the user an Administrator.
    Often, the "Explain" or "Help" for these settings indicates whether a local
    administrator can override the setting or not.

    7. the GPO(s) may have Security Filtering or "Delegation" that prevents the
    GPO from applying to user accounts in certain groups (e.g. a domain group
    used to grant Administrator rights on workstations). In this case, it may
    be possible to have one group for "true administrators" and another group
    for "users that need to be administrators to run applications". Both groups
    could be added to the local administrators group on the workstation. Then,
    you could cause the GPO to be applied for the second group, but not the
    first (but see 6 above).

    --
    Bruce Sanderson MVP

    It's perfectly useless to know the right answer to the wrong question.


    "Repent34" <Repent34@anon.postalias> wrote in message
    news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
    >I have several programs that users need to run. These programs require the
    >user to have local machine and domain local admin rights. I have noticed
    >that they are now able to bypass alot of the GPO settings because of their
    >admin rights. Is there a setting in the GPO's that will make the GPO's
    >apply to them as well. I want these users to be as restricted in what they
    >can do as everyone else.
    >
    > chris
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Bruce;

    thanks for the detailed reply.

    I am seeing #6 to be true. Some GPO settings stick and some don't. I did
    see in some of the helps that some settings talked about being able to be
    overwritten by local admins. Laziness on the part of the software vendors
    I'd guess. One of my biggest culprits is UPS Worldship. I think I may try
    a combination of 6-7. I like the idea of groups.

    I'll post here when I find the solution that works.

    chris


    "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
    news:egLDkUGbFHA.3120@TK2MSFTNGP12.phx.gbl...
    > 1. complain to the application vendor that their application is not "well
    > behaved" and they should modify it so it doesn't need "Administrator"
    > privileges.
    >
    > 2. in many such cases, applications only need the ability to modify files
    > in some folders that "Users" are not permitted by default to change. For
    > example, many "ill behaved" applications insist on storing data or
    > configuration information in their Program Files folder. In these cases,
    > if you grant Users "Modify" permission to those folders, they will no
    > longer need to be "Administrators" to run the application.
    >
    > 3. the Security Template called "compatws" selectively modifies
    > permissions on some folders and registry entries in such a way the "ill
    > behaved" applications can run with only User privileges. You apply
    > Security Templates using the "Security Configuration and Analysis" MMC
    > snap-in.
    >
    > 4. in some cases, the application's installation process will allow you to
    > specify where data and configuration files are to go. If you specify a
    > location that Users can Modify, they won't need to be Administrators to
    > run the application.
    >
    > 5. in some cases, the application's configuration files or registry
    > entries can be modified to specify that data files are to be stored in a
    > location other than the default. If this is the case, you can move the
    > data files to a location that Users can modify. You may have to contact
    > the vendor or do some investigation (using a tool like regmon or filemon
    > from System Internals) to find out if this is practical.
    >
    > If none of the above is useful:
    >
    > 6. some settings made via GPOs can not be overriden by anyone that is an
    > Administrator on the computer (e.g. some of the Windows XP Firewall
    > settings), but others CAN be overriden by a local administrator. There is
    > not much you can do about this except not make the user an Administrator.
    > Often, the "Explain" or "Help" for these settings indicates whether a
    > local administrator can override the setting or not.
    >
    > 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
    > the GPO from applying to user accounts in certain groups (e.g. a domain
    > group used to grant Administrator rights on workstations). In this case,
    > it may be possible to have one group for "true administrators" and another
    > group for "users that need to be administrators to run applications".
    > Both groups could be added to the local administrators group on the
    > workstation. Then, you could cause the GPO to be applied for the second
    > group, but not the first (but see 6 above).
    >
    > --
    > Bruce Sanderson MVP
    >
    > It's perfectly useless to know the right answer to the wrong question.
    >
    >
    > "Repent34" <Repent34@anon.postalias> wrote in message
    > news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
    >>I have several programs that users need to run. These programs require
    >>the user to have local machine and domain local admin rights. I have
    >>noticed that they are now able to bypass alot of the GPO settings because
    >>of their admin rights. Is there a setting in the GPO's that will make the
    >>GPO's apply to them as well. I want these users to be as restricted in
    >>what they can do as everyone else.
    >>
    >> chris
    >>
    >>
    >>
    >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Looks like I actually got by by just upgrading the permissions on the
    folders for domain\username to admin rights.

    Done


    "Repent34" <Repent34@anon.postalias> wrote in message
    news:e9xvAGIbFHA.2980@TK2MSFTNGP10.phx.gbl...
    > Bruce;
    >
    > thanks for the detailed reply.
    >
    > I am seeing #6 to be true. Some GPO settings stick and some don't. I did
    > see in some of the helps that some settings talked about being able to be
    > overwritten by local admins. Laziness on the part of the software vendors
    > I'd guess. One of my biggest culprits is UPS Worldship. I think I may
    > try a combination of 6-7. I like the idea of groups.
    >
    > I'll post here when I find the solution that works.
    >
    > chris
    >
    >
    >
    >
    >
    >
    > "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
    > news:egLDkUGbFHA.3120@TK2MSFTNGP12.phx.gbl...
    >> 1. complain to the application vendor that their application is not "well
    >> behaved" and they should modify it so it doesn't need "Administrator"
    >> privileges.
    >>
    >> 2. in many such cases, applications only need the ability to modify files
    >> in some folders that "Users" are not permitted by default to change. For
    >> example, many "ill behaved" applications insist on storing data or
    >> configuration information in their Program Files folder. In these cases,
    >> if you grant Users "Modify" permission to those folders, they will no
    >> longer need to be "Administrators" to run the application.
    >>
    >> 3. the Security Template called "compatws" selectively modifies
    >> permissions on some folders and registry entries in such a way the "ill
    >> behaved" applications can run with only User privileges. You apply
    >> Security Templates using the "Security Configuration and Analysis" MMC
    >> snap-in.
    >>
    >> 4. in some cases, the application's installation process will allow you
    >> to specify where data and configuration files are to go. If you specify
    >> a location that Users can Modify, they won't need to be Administrators to
    >> run the application.
    >>
    >> 5. in some cases, the application's configuration files or registry
    >> entries can be modified to specify that data files are to be stored in a
    >> location other than the default. If this is the case, you can move the
    >> data files to a location that Users can modify. You may have to contact
    >> the vendor or do some investigation (using a tool like regmon or filemon
    >> from System Internals) to find out if this is practical.
    >>
    >> If none of the above is useful:
    >>
    >> 6. some settings made via GPOs can not be overriden by anyone that is an
    >> Administrator on the computer (e.g. some of the Windows XP Firewall
    >> settings), but others CAN be overriden by a local administrator. There
    >> is not much you can do about this except not make the user an
    >> Administrator. Often, the "Explain" or "Help" for these settings
    >> indicates whether a local administrator can override the setting or not.
    >>
    >> 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
    >> the GPO from applying to user accounts in certain groups (e.g. a domain
    >> group used to grant Administrator rights on workstations). In this case,
    >> it may be possible to have one group for "true administrators" and
    >> another group for "users that need to be administrators to run
    >> applications". Both groups could be added to the local administrators
    >> group on the workstation. Then, you could cause the GPO to be applied
    >> for the second group, but not the first (but see 6 above).
    >>
    >> --
    >> Bruce Sanderson MVP
    >>
    >> It's perfectly useless to know the right answer to the wrong question.
    >>
    >>
    >> "Repent34" <Repent34@anon.postalias> wrote in message
    >> news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
    >>>I have several programs that users need to run. These programs require
    >>>the user to have local machine and domain local admin rights. I have
    >>>noticed that they are now able to bypass alot of the GPO settings because
    >>>of their admin rights. Is there a setting in the GPO's that will make
    >>>the GPO's apply to them as well. I want these users to be as restricted
    >>>in what they can do as everyone else.
    >>>
    >>> chris
    >>>
    >>>
    >>>
    >>>
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Good. That is quite often the case for what I call "badly behaving"
    programs!

    A design rule for applications since NT 4 (and actually Windows 95) is that
    applications should not store data and configuration files that are updated
    during normal operation in the Program Files folder. Unfortunately, there
    are a lot of application developers and vendors that don't seem to be
    getting this message!

    --
    Bruce Sanderson MVP Printing
    http://members.shaw.ca/bsanders

    It is perfectly useless to know the right answer to the wrong question.


    "Repent34" <Repent34@anon.postalias> wrote in message
    news:uGq6lO9bFHA.2180@TK2MSFTNGP12.phx.gbl...
    > Looks like I actually got by by just upgrading the permissions on the
    > folders for domain\username to admin rights.
    >
    > Done
    >
    >
    >
    > "Repent34" <Repent34@anon.postalias> wrote in message
    > news:e9xvAGIbFHA.2980@TK2MSFTNGP10.phx.gbl...
    >> Bruce;
    >>
    >> thanks for the detailed reply.
    >>
    >> I am seeing #6 to be true. Some GPO settings stick and some don't. I
    >> did see in some of the helps that some settings talked about being able
    >> to be overwritten by local admins. Laziness on the part of the software
    >> vendors I'd guess. One of my biggest culprits is UPS Worldship. I think
    >> I may try a combination of 6-7. I like the idea of groups.
    >>
    >> I'll post here when I find the solution that works.
    >>
    >> chris
    >>
    >>
    >>
    >>
    >>
    >>
    >> "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
    >> news:egLDkUGbFHA.3120@TK2MSFTNGP12.phx.gbl...
    >>> 1. complain to the application vendor that their application is not
    >>> "well behaved" and they should modify it so it doesn't need
    >>> "Administrator" privileges.
    >>>
    >>> 2. in many such cases, applications only need the ability to modify
    >>> files in some folders that "Users" are not permitted by default to
    >>> change. For example, many "ill behaved" applications insist on storing
    >>> data or configuration information in their Program Files folder. In
    >>> these cases, if you grant Users "Modify" permission to those folders,
    >>> they will no longer need to be "Administrators" to run the application.
    >>>
    >>> 3. the Security Template called "compatws" selectively modifies
    >>> permissions on some folders and registry entries in such a way the "ill
    >>> behaved" applications can run with only User privileges. You apply
    >>> Security Templates using the "Security Configuration and Analysis" MMC
    >>> snap-in.
    >>>
    >>> 4. in some cases, the application's installation process will allow you
    >>> to specify where data and configuration files are to go. If you specify
    >>> a location that Users can Modify, they won't need to be Administrators
    >>> to run the application.
    >>>
    >>> 5. in some cases, the application's configuration files or registry
    >>> entries can be modified to specify that data files are to be stored in a
    >>> location other than the default. If this is the case, you can move the
    >>> data files to a location that Users can modify. You may have to contact
    >>> the vendor or do some investigation (using a tool like regmon or filemon
    >>> from System Internals) to find out if this is practical.
    >>>
    >>> If none of the above is useful:
    >>>
    >>> 6. some settings made via GPOs can not be overriden by anyone that is an
    >>> Administrator on the computer (e.g. some of the Windows XP Firewall
    >>> settings), but others CAN be overriden by a local administrator. There
    >>> is not much you can do about this except not make the user an
    >>> Administrator. Often, the "Explain" or "Help" for these settings
    >>> indicates whether a local administrator can override the setting or not.
    >>>
    >>> 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
    >>> the GPO from applying to user accounts in certain groups (e.g. a domain
    >>> group used to grant Administrator rights on workstations). In this
    >>> case, it may be possible to have one group for "true administrators" and
    >>> another group for "users that need to be administrators to run
    >>> applications". Both groups could be added to the local administrators
    >>> group on the workstation. Then, you could cause the GPO to be applied
    >>> for the second group, but not the first (but see 6 above).
    >>>
    >>> --
    >>> Bruce Sanderson MVP
    >>>
    >>> It's perfectly useless to know the right answer to the wrong question.
    >>>
    >>>
    >>> "Repent34" <Repent34@anon.postalias> wrote in message
    >>> news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
    >>>>I have several programs that users need to run. These programs require
    >>>>the user to have local machine and domain local admin rights. I have
    >>>>noticed that they are now able to bypass alot of the GPO settings
    >>>>because of their admin rights. Is there a setting in the GPO's that
    >>>>will make the GPO's apply to them as well. I want these users to be as
    >>>>restricted in what they can do as everyone else.
    >>>>
    >>>> chris
    >>>>
    >>>>
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    "Repent34" wrote:
    > I have several programs that users need to run. These
    > programs require the
    > user to have local machine and domain local admin rights. I
    > have noticed
    > that they are now able to bypass alot of the GPO settings
    > because of their
    > admin rights. Is there a setting in the GPO's that will make
    > the GPO's
    > apply to them as well. I want these users to be as restricted
    > in what they
    > can do as everyone else.
    >
    > chris

    Hi,

    I haven’t met a program yet that I can’t make run under a Regular User
    with a few individual file "write" access permissions and a few
    specific registry "write" access permissions. I run everything from
    AutoCad to Adobe. Now over the years, Adobe and Macromedia have become
    very well behaved but AutoCad is still bad.

    It actually is quite easy to do. 1> Install your "badly behaved"
    programs on a test machine. Login as an Admin. Run the application
    and then Search the HD for any files for todays date with a time that
    is the same as when you ran the app. With the exception of the
    recognized "system.dat" files etc. you can see what files that need
    write access.

    For the registry it is a little trickier. You can use inctrl5 to do a
    scan of files and folders as well as reg keys
    http://www.sd61.bc.ca/windows2000/downloads/inctrl5.zip

    Or you can just open up the Registry and give users "Full Control"
    Permissions on the HKLMachine-Software-SoftwareCompanyName.

    However, IF I were you I would Contact UPS and ask for a software
    update that runs under Windows XP regular user. It is in their best
    interest to make their software as compatable with their users’
    networks as possible. If it were my network, whether their software
    would run under Windows XP regular user would be the "make or break"
    dealmaker as to whether I used UPS or another shiping company.

    I have had great success with contacting companies about this. So far
    AutoDesk is the only one who has yet to conform.

    Cheers,

    Lara

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Group-Policy-Programs-admin-rights-user-ftopict543778.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1724219
Ask a new question

Read More

Policy Microsoft Windows