Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Good. That is quite often the case for what I call "badly behaving"
programs!
A design rule for applications since NT 4 (and actually Windows 95) is that
applications should not store data and configuration files that are updated
during normal operation in the Program Files folder. Unfortunately, there
are a lot of application developers and vendors that don't seem to be
getting this message!
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Repent34" <Repent34@anon.postalias> wrote in message
news:uGq6lO9bFHA.2180@TK2MSFTNGP12.phx.gbl...
> Looks like I actually got by by just upgrading the permissions on the
> folders for domain\username to admin rights.
>
> Done
>
>
>
> "Repent34" <Repent34@anon.postalias> wrote in message
> news:e9xvAGIbFHA.2980@TK2MSFTNGP10.phx.gbl...
>> Bruce;
>>
>> thanks for the detailed reply.
>>
>> I am seeing #6 to be true. Some GPO settings stick and some don't. I
>> did see in some of the helps that some settings talked about being able
>> to be overwritten by local admins. Laziness on the part of the software
>> vendors I'd guess. One of my biggest culprits is UPS Worldship. I think
>> I may try a combination of 6-7. I like the idea of groups.
>>
>> I'll post here when I find the solution that works.
>>
>> chris
>>
>>
>>
>>
>>
>>
>> "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
>> news:egLDkUGbFHA.3120@TK2MSFTNGP12.phx.gbl...
>>> 1. complain to the application vendor that their application is not
>>> "well behaved" and they should modify it so it doesn't need
>>> "Administrator" privileges.
>>>
>>> 2. in many such cases, applications only need the ability to modify
>>> files in some folders that "Users" are not permitted by default to
>>> change. For example, many "ill behaved" applications insist on storing
>>> data or configuration information in their Program Files folder. In
>>> these cases, if you grant Users "Modify" permission to those folders,
>>> they will no longer need to be "Administrators" to run the application.
>>>
>>> 3. the Security Template called "compatws" selectively modifies
>>> permissions on some folders and registry entries in such a way the "ill
>>> behaved" applications can run with only User privileges. You apply
>>> Security Templates using the "Security Configuration and Analysis" MMC
>>> snap-in.
>>>
>>> 4. in some cases, the application's installation process will allow you
>>> to specify where data and configuration files are to go. If you specify
>>> a location that Users can Modify, they won't need to be Administrators
>>> to run the application.
>>>
>>> 5. in some cases, the application's configuration files or registry
>>> entries can be modified to specify that data files are to be stored in a
>>> location other than the default. If this is the case, you can move the
>>> data files to a location that Users can modify. You may have to contact
>>> the vendor or do some investigation (using a tool like regmon or filemon
>>> from System Internals) to find out if this is practical.
>>>
>>> If none of the above is useful:
>>>
>>> 6. some settings made via GPOs can not be overriden by anyone that is an
>>> Administrator on the computer (e.g. some of the Windows XP Firewall
>>> settings), but others CAN be overriden by a local administrator. There
>>> is not much you can do about this except not make the user an
>>> Administrator. Often, the "Explain" or "Help" for these settings
>>> indicates whether a local administrator can override the setting or not.
>>>
>>> 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
>>> the GPO from applying to user accounts in certain groups (e.g. a domain
>>> group used to grant Administrator rights on workstations). In this
>>> case, it may be possible to have one group for "true administrators" and
>>> another group for "users that need to be administrators to run
>>> applications". Both groups could be added to the local administrators
>>> group on the workstation. Then, you could cause the GPO to be applied
>>> for the second group, but not the first (but see 6 above).
>>>
>>> --
>>> Bruce Sanderson MVP
>>>
>>> It's perfectly useless to know the right answer to the wrong question.
>>>
>>>
>>> "Repent34" <Repent34@anon.postalias> wrote in message
>>> news:eDopEvFbFHA.3328@TK2MSFTNGP09.phx.gbl...
>>>>I have several programs that users need to run. These programs require
>>>>the user to have local machine and domain local admin rights. I have
>>>>noticed that they are now able to bypass alot of the GPO settings
>>>>because of their admin rights. Is there a setting in the GPO's that
>>>>will make the GPO's apply to them as well. I want these users to be as
>>>>restricted in what they can do as everyone else.
>>>>
>>>> chris
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>