Sign in with
Sign up | Sign in
Your question

Programs that need admin rights, but user shouldn't have t..

Last response: in Windows 2000/NT
Share
Anonymous
June 8, 2005 3:55:31 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have several programs that users need to run. These programs require the
user to have local machine and domain local admin rights. I have noticed
that they are now able to bypass alot of the GPO settings because of their
admin rights. Is there a setting in the GPO's that will make the GPO's
apply to them as well. I want these users to be as restricted in what they
can do as everyone else.

chris
Anonymous
June 8, 2005 5:03:24 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

1. complain to the application vendor that their application is not "well
behaved" and they should modify it so it doesn't need "Administrator"
privileges.

2. in many such cases, applications only need the ability to modify files in
some folders that "Users" are not permitted by default to change. For
example, many "ill behaved" applications insist on storing data or
configuration information in their Program Files folder. In these cases, if
you grant Users "Modify" permission to those folders, they will no longer
need to be "Administrators" to run the application.

3. the Security Template called "compatws" selectively modifies permissions
on some folders and registry entries in such a way the "ill behaved"
applications can run with only User privileges. You apply Security
Templates using the "Security Configuration and Analysis" MMC snap-in.

4. in some cases, the application's installation process will allow you to
specify where data and configuration files are to go. If you specify a
location that Users can Modify, they won't need to be Administrators to run
the application.

5. in some cases, the application's configuration files or registry entries
can be modified to specify that data files are to be stored in a location
other than the default. If this is the case, you can move the data files to
a location that Users can modify. You may have to contact the vendor or do
some investigation (using a tool like regmon or filemon from System
Internals) to find out if this is practical.

If none of the above is useful:

6. some settings made via GPOs can not be overriden by anyone that is an
Administrator on the computer (e.g. some of the Windows XP Firewall
settings), but others CAN be overriden by a local administrator. There is
not much you can do about this except not make the user an Administrator.
Often, the "Explain" or "Help" for these settings indicates whether a local
administrator can override the setting or not.

7. the GPO(s) may have Security Filtering or "Delegation" that prevents the
GPO from applying to user accounts in certain groups (e.g. a domain group
used to grant Administrator rights on workstations). In this case, it may
be possible to have one group for "true administrators" and another group
for "users that need to be administrators to run applications". Both groups
could be added to the local administrators group on the workstation. Then,
you could cause the GPO to be applied for the second group, but not the
first (but see 6 above).

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Repent34" <Repent34@anon.postalias> wrote in message
news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
>I have several programs that users need to run. These programs require the
>user to have local machine and domain local admin rights. I have noticed
>that they are now able to bypass alot of the GPO settings because of their
>admin rights. Is there a setting in the GPO's that will make the GPO's
>apply to them as well. I want these users to be as restricted in what they
>can do as everyone else.
>
> chris
>
>
>
>
Anonymous
June 8, 2005 8:25:42 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Bruce;

thanks for the detailed reply.

I am seeing #6 to be true. Some GPO settings stick and some don't. I did
see in some of the helps that some settings talked about being able to be
overwritten by local admins. Laziness on the part of the software vendors
I'd guess. One of my biggest culprits is UPS Worldship. I think I may try
a combination of 6-7. I like the idea of groups.

I'll post here when I find the solution that works.

chris






"Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
news:egLDkUGbFHA.3120@TK2MSFTNGP12.phx.gbl...
> 1. complain to the application vendor that their application is not "well
> behaved" and they should modify it so it doesn't need "Administrator"
> privileges.
>
> 2. in many such cases, applications only need the ability to modify files
> in some folders that "Users" are not permitted by default to change. For
> example, many "ill behaved" applications insist on storing data or
> configuration information in their Program Files folder. In these cases,
> if you grant Users "Modify" permission to those folders, they will no
> longer need to be "Administrators" to run the application.
>
> 3. the Security Template called "compatws" selectively modifies
> permissions on some folders and registry entries in such a way the "ill
> behaved" applications can run with only User privileges. You apply
> Security Templates using the "Security Configuration and Analysis" MMC
> snap-in.
>
> 4. in some cases, the application's installation process will allow you to
> specify where data and configuration files are to go. If you specify a
> location that Users can Modify, they won't need to be Administrators to
> run the application.
>
> 5. in some cases, the application's configuration files or registry
> entries can be modified to specify that data files are to be stored in a
> location other than the default. If this is the case, you can move the
> data files to a location that Users can modify. You may have to contact
> the vendor or do some investigation (using a tool like regmon or filemon
> from System Internals) to find out if this is practical.
>
> If none of the above is useful:
>
> 6. some settings made via GPOs can not be overriden by anyone that is an
> Administrator on the computer (e.g. some of the Windows XP Firewall
> settings), but others CAN be overriden by a local administrator. There is
> not much you can do about this except not make the user an Administrator.
> Often, the "Explain" or "Help" for these settings indicates whether a
> local administrator can override the setting or not.
>
> 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
> the GPO from applying to user accounts in certain groups (e.g. a domain
> group used to grant Administrator rights on workstations). In this case,
> it may be possible to have one group for "true administrators" and another
> group for "users that need to be administrators to run applications".
> Both groups could be added to the local administrators group on the
> workstation. Then, you could cause the GPO to be applied for the second
> group, but not the first (but see 6 above).
>
> --
> Bruce Sanderson MVP
>
> It's perfectly useless to know the right answer to the wrong question.
>
>
> "Repent34" <Repent34@anon.postalias> wrote in message
> news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
>>I have several programs that users need to run. These programs require
>>the user to have local machine and domain local admin rights. I have
>>noticed that they are now able to bypass alot of the GPO settings because
>>of their admin rights. Is there a setting in the GPO's that will make the
>>GPO's apply to them as well. I want these users to be as restricted in
>>what they can do as everyone else.
>>
>> chris
>>
>>
>>
>>
>
>
Related resources
Anonymous
June 13, 2005 1:50:26 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Looks like I actually got by by just upgrading the permissions on the
folders for domain\username to admin rights.

Done



"Repent34" <Repent34@anon.postalias> wrote in message
news:e9xvAGIbFHA.2980@TK2MSFTNGP10.phx.gbl...
> Bruce;
>
> thanks for the detailed reply.
>
> I am seeing #6 to be true. Some GPO settings stick and some don't. I did
> see in some of the helps that some settings talked about being able to be
> overwritten by local admins. Laziness on the part of the software vendors
> I'd guess. One of my biggest culprits is UPS Worldship. I think I may
> try a combination of 6-7. I like the idea of groups.
>
> I'll post here when I find the solution that works.
>
> chris
>
>
>
>
>
>
> "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
> news:egLDkUGbFHA.3120@TK2MSFTNGP12.phx.gbl...
>> 1. complain to the application vendor that their application is not "well
>> behaved" and they should modify it so it doesn't need "Administrator"
>> privileges.
>>
>> 2. in many such cases, applications only need the ability to modify files
>> in some folders that "Users" are not permitted by default to change. For
>> example, many "ill behaved" applications insist on storing data or
>> configuration information in their Program Files folder. In these cases,
>> if you grant Users "Modify" permission to those folders, they will no
>> longer need to be "Administrators" to run the application.
>>
>> 3. the Security Template called "compatws" selectively modifies
>> permissions on some folders and registry entries in such a way the "ill
>> behaved" applications can run with only User privileges. You apply
>> Security Templates using the "Security Configuration and Analysis" MMC
>> snap-in.
>>
>> 4. in some cases, the application's installation process will allow you
>> to specify where data and configuration files are to go. If you specify
>> a location that Users can Modify, they won't need to be Administrators to
>> run the application.
>>
>> 5. in some cases, the application's configuration files or registry
>> entries can be modified to specify that data files are to be stored in a
>> location other than the default. If this is the case, you can move the
>> data files to a location that Users can modify. You may have to contact
>> the vendor or do some investigation (using a tool like regmon or filemon
>> from System Internals) to find out if this is practical.
>>
>> If none of the above is useful:
>>
>> 6. some settings made via GPOs can not be overriden by anyone that is an
>> Administrator on the computer (e.g. some of the Windows XP Firewall
>> settings), but others CAN be overriden by a local administrator. There
>> is not much you can do about this except not make the user an
>> Administrator. Often, the "Explain" or "Help" for these settings
>> indicates whether a local administrator can override the setting or not.
>>
>> 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
>> the GPO from applying to user accounts in certain groups (e.g. a domain
>> group used to grant Administrator rights on workstations). In this case,
>> it may be possible to have one group for "true administrators" and
>> another group for "users that need to be administrators to run
>> applications". Both groups could be added to the local administrators
>> group on the workstation. Then, you could cause the GPO to be applied
>> for the second group, but not the first (but see 6 above).
>>
>> --
>> Bruce Sanderson MVP
>>
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>> "Repent34" <Repent34@anon.postalias> wrote in message
>> news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
>>>I have several programs that users need to run. These programs require
>>>the user to have local machine and domain local admin rights. I have
>>>noticed that they are now able to bypass alot of the GPO settings because
>>>of their admin rights. Is there a setting in the GPO's that will make
>>>the GPO's apply to them as well. I want these users to be as restricted
>>>in what they can do as everyone else.
>>>
>>> chris
>>>
>>>
>>>
>>>
>>
>>
>
>
Anonymous
June 14, 2005 2:36:11 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Good. That is quite often the case for what I call "badly behaving"
programs!

A design rule for applications since NT 4 (and actually Windows 95) is that
applications should not store data and configuration files that are updated
during normal operation in the Program Files folder. Unfortunately, there
are a lot of application developers and vendors that don't seem to be
getting this message!

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Repent34" <Repent34@anon.postalias> wrote in message
news:uGq6lO9bFHA.2180@TK2MSFTNGP12.phx.gbl...
> Looks like I actually got by by just upgrading the permissions on the
> folders for domain\username to admin rights.
>
> Done
>
>
>
> "Repent34" <Repent34@anon.postalias> wrote in message
> news:e9xvAGIbFHA.2980@TK2MSFTNGP10.phx.gbl...
>> Bruce;
>>
>> thanks for the detailed reply.
>>
>> I am seeing #6 to be true. Some GPO settings stick and some don't. I
>> did see in some of the helps that some settings talked about being able
>> to be overwritten by local admins. Laziness on the part of the software
>> vendors I'd guess. One of my biggest culprits is UPS Worldship. I think
>> I may try a combination of 6-7. I like the idea of groups.
>>
>> I'll post here when I find the solution that works.
>>
>> chris
>>
>>
>>
>>
>>
>>
>> "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
>> news:egLDkUGbFHA.3120@TK2MSFTNGP12.phx.gbl...
>>> 1. complain to the application vendor that their application is not
>>> "well behaved" and they should modify it so it doesn't need
>>> "Administrator" privileges.
>>>
>>> 2. in many such cases, applications only need the ability to modify
>>> files in some folders that "Users" are not permitted by default to
>>> change. For example, many "ill behaved" applications insist on storing
>>> data or configuration information in their Program Files folder. In
>>> these cases, if you grant Users "Modify" permission to those folders,
>>> they will no longer need to be "Administrators" to run the application.
>>>
>>> 3. the Security Template called "compatws" selectively modifies
>>> permissions on some folders and registry entries in such a way the "ill
>>> behaved" applications can run with only User privileges. You apply
>>> Security Templates using the "Security Configuration and Analysis" MMC
>>> snap-in.
>>>
>>> 4. in some cases, the application's installation process will allow you
>>> to specify where data and configuration files are to go. If you specify
>>> a location that Users can Modify, they won't need to be Administrators
>>> to run the application.
>>>
>>> 5. in some cases, the application's configuration files or registry
>>> entries can be modified to specify that data files are to be stored in a
>>> location other than the default. If this is the case, you can move the
>>> data files to a location that Users can modify. You may have to contact
>>> the vendor or do some investigation (using a tool like regmon or filemon
>>> from System Internals) to find out if this is practical.
>>>
>>> If none of the above is useful:
>>>
>>> 6. some settings made via GPOs can not be overriden by anyone that is an
>>> Administrator on the computer (e.g. some of the Windows XP Firewall
>>> settings), but others CAN be overriden by a local administrator. There
>>> is not much you can do about this except not make the user an
>>> Administrator. Often, the "Explain" or "Help" for these settings
>>> indicates whether a local administrator can override the setting or not.
>>>
>>> 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
>>> the GPO from applying to user accounts in certain groups (e.g. a domain
>>> group used to grant Administrator rights on workstations). In this
>>> case, it may be possible to have one group for "true administrators" and
>>> another group for "users that need to be administrators to run
>>> applications". Both groups could be added to the local administrators
>>> group on the workstation. Then, you could cause the GPO to be applied
>>> for the second group, but not the first (but see 6 above).
>>>
>>> --
>>> Bruce Sanderson MVP
>>>
>>> It's perfectly useless to know the right answer to the wrong question.
>>>
>>>
>>> "Repent34" <Repent34@anon.postalias> wrote in message
>>> news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
>>>>I have several programs that users need to run. These programs require
>>>>the user to have local machine and domain local admin rights. I have
>>>>noticed that they are now able to bypass alot of the GPO settings
>>>>because of their admin rights. Is there a setting in the GPO's that
>>>>will make the GPO's apply to them as well. I want these users to be as
>>>>restricted in what they can do as everyone else.
>>>>
>>>> chris
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Anonymous
June 14, 2005 5:35:53 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Repent34" wrote:
> I have several programs that users need to run. These
> programs require the
> user to have local machine and domain local admin rights. I
> have noticed
> that they are now able to bypass alot of the GPO settings
> because of their
> admin rights. Is there a setting in the GPO's that will make
> the GPO's
> apply to them as well. I want these users to be as restricted
> in what they
> can do as everyone else.
>
> chris

Hi,

I haven’t met a program yet that I can’t make run under a Regular User
with a few individual file "write" access permissions and a few
specific registry "write" access permissions. I run everything from
AutoCad to Adobe. Now over the years, Adobe and Macromedia have become
very well behaved but AutoCad is still bad.

It actually is quite easy to do. 1> Install your "badly behaved"
programs on a test machine. Login as an Admin. Run the application
and then Search the HD for any files for todays date with a time that
is the same as when you ran the app. With the exception of the
recognized "system.dat" files etc. you can see what files that need
write access.

For the registry it is a little trickier. You can use inctrl5 to do a
scan of files and folders as well as reg keys
http://www.sd61.bc.ca/windows2000/downloads/inctrl5.zip

Or you can just open up the Registry and give users "Full Control"
Permissions on the HKLMachine-Software-SoftwareCompanyName.

However, IF I were you I would Contact UPS and ask for a software
update that runs under Windows XP regular user. It is in their best
interest to make their software as compatable with their users’
networks as possible. If it were my network, whether their software
would run under Windows XP regular user would be the "make or break"
dealmaker as to whether I used UPS or another shiping company.

I have had great success with contacting companies about this. So far
AutoDesk is the only one who has yet to conform.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Programs-admi...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1724219
!