2003 AD

[Guest]

We are moving to AD from a NT 4.0 domain structure. Everything is going well
for the exception that some application such as Application Extender and
E-Backoffice require that the user be a member of the local administrators
group on the local machine. I think this is because the application are
attempting to write to the registry; (e-backoffice error, Can not create user
key). Is there a way within the GPO to allow these applications to function
correctly yet have the security locked down at the workstation level? Any
assistance would be great.

 

[Cary Shultz [A.D. MVP]]

B,

There is something called 'Restricted Groups' GPO that might help you.
Please look at the following MSKB Articles:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076

Please pay particular attention to the IMPORTANT note in 320065! You could
try Power Users first and then, if necessary, Administrators.

However, there might be a better way. Usually the application needs access
to certain areas of the registry or to some folder(s). There might be an
easy answer. Simply give the users the necessary permissions to those
registry and / or folder(s). Now, how to determine the who and the what?
Look at regmon and filemon at http://www.sysinternals.com for the answer!

And do not get me started on the application needing the domain user account
objects to be members of the local Administrators group!!!! Lazy
programmers!!!!!! Well, not always. If it is an older application ( really
'older' ) when WIN98 was the king....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com