Determine WHO can use WHAT application?

  • Thread starter Thread starter Tosca
  • Start date Start date
T

Tosca

Hi everyone

This isn't directly related to security of a computer system but it is
related to security in determining user access to various applications.

I have XP Pro SP2 and have several users set up to use a laptop. I'm happy
for everyone to have access to applications such as the MS Office Suite but
I'd like to be able to specify exactly which users can use certain software
such as AdAware, Spybot, WinZip etc. I can copy the shortcut into their
Start folder which limits access to some extent but that doesn't stop them
using Windows Explorer to find the application to run it from there. I
don't want the "rule" to allow or deny access to the application to be as
simple as whether they're an Administrator or not - for instance, if A, B
and C have Administrator rights and D, E and F don't, I might want to allow
A, B and E to have access to run a particular application.

I have NTFS and feel that this must be available on an OS as sophisticated
as XP Pro. The question is: How?

Thanks for your time and patience.
 
I've been doing some googling and suspect that it's via Policy Editor but,
as it's complicated, I don't want to delve in blind. It's rather like
starting to use the Registry Editor - lots of warnings about what to do and
what not to do - but I need some basic-level guidance about the Policy
Editor as I don't want to do anything stupid that might lock me out.

Fingers crossed that someone can help me.
 
i know there is a Local Group Policy that defines what programs
everybody is allowed to run and what programs everybody is Not allowed
to run, but that is not what you want, because the restrictions and
permissions apply to Everybody.

since what you want is to define each individual account separate
restriction or permission to individual programs on a program-by-program
and individual-by-individual basis, i cannot think of anything that
flexible except the following :

assign permission to a new Group for each directory in Program Files,
and then assign individual accounts to each new Group according to which
person you want to have permission to run programs in that directory.

i would like to give you an example, but i regret i've got to leave so
suddenly, because voltage in my house is starting to fluctuate wildly
for some strange reason.
 
Oh - I hope there isn't a major problem at home for you!

Yes, an example would be great. Ideally, what I'd like is a spreadsheet
with Accounts along the top and Applications down the side. I'd tick or
cross the appropriate intersections - but I realise it's not that simple!
 
Tosca said:
Hi everyone

This isn't directly related to security of a computer system but it is
related to security in determining user access to various applications.

I have XP Pro SP2 and have several users set up to use a laptop. I'm happy
for everyone to have access to applications such as the MS Office Suite but
I'd like to be able to specify exactly which users can use certain software
such as AdAware, Spybot, WinZip etc. I can copy the shortcut into their
Start folder which limits access to some extent but that doesn't stop them
using Windows Explorer to find the application to run it from there. I
don't want the "rule" to allow or deny access to the application to be as
simple as whether they're an Administrator or not - for instance, if A, B
and C have Administrator rights and D, E and F don't, I might want to allow
A, B and E to have access to run a particular application.

I have NTFS and feel that this must be available on an OS as sophisticated
as XP Pro. The question is: How?

Thanks for your time and patience.
Click to expand...


Create local groups that have the specific combinations of permissions
that you want, and then add the local user accounts to those groups as
appropriate.


HOW TO Create and Configure User Accounts in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;279783

HOW TO Set, View, Change, or Remove File and Folder Permissions
http://support.microsoft.com/default.aspx?scid=kb;en-us;q308418

HOW TO Set, View, Change, or Remove Special Permissions for Files and
Folders
http://support.microsoft.com/default.aspx?scid=kb;[LN];Q308419


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
for example, add a new group Group1 with Read/Execute permission to the
1st directory in Program Files, add a new group Group2 with Read/Execute
permission to the 2nd directory in Program Files, add a new group Group3
with Read/Execute permission to the 3rd directory in Program Files, add
a new group Group4 with Read/Execute permission to the 4th directory in
Program Files, add a new group Group5 with Read/Execute permission to
the 5th directory in Program Files, etc.

then for example, add AccountA, AccountJ and AccountR to Group1; add
AccountB, AccountK and AccountS to Group2; add AccountC, AccountL and
AccountT to Group3; add AccountD, AccountM and AccountU to Group4; add
AccountE, AccountN and AccountW to Group5; add AccountF, AccountO and
AccountX to Group6; add AccountG, AccountP and AccountZ to Group7; etc.

if Read/Execute permission is not sufficient, then change the permission
to Write or Modify as needed. for the Program Files directory and every
parent folder, you will have to change permission to "This Folder Only"
for the groups named Users and Everyone, or else everybody in those
groups will inherit permission from Program Files or a parent folder to
run everything in every subfolder. the same is true for the group named
Administrators but be very very careful here (you are hereby warned)
that you must first add a new Full Control permission to Program Files
and all subfolders/files for at least one of the Admin accounts (e.g.
the one named in Group Policy) before you change permission to
Read/Execute for the entire group named Administrators. if you do not
first add a new Full Control permission to Program Files and all
subfolders for at least one of the Admin accounts (e.g. the one named in
Group Policy) before you change permission to Read/Execute for the
entire group named Administrators, then you might never be able to
Write, Update, Modify, Change Permission, or Take Ownership again for
Program Files.
 
Thanks for the comprehensive responses - I'll try your suggestions. I just
posted the same scenario elsewhere as I really need to get on with this and
have been pulling my hair out over it. I realise that there could have been
a great delay because of your (JW) problems at home! Apologies if this
makes me sound impatient. I'm always very grateful to the contributors here
who give their time and advice freely. I hope to be able to give back in
due course.
 
after having thought about it longer, i would recommend you Not tweak
permissions for the Administrators group, since this might have
undesirable consequences elsewhere, besides the fact it is risky if done
wrong.

for those accounts in the Admin group who should Not be allowed to run
certain programs and only allowed to run others, it really makes More
sense that they should Not be in the Admin group to begin with. it
would really make More sense that these accounts be moved to the Power
Users group instead, and then tinker with permissions for the Power
Users group. if it turns out later that they need additional rights
which they had in the Admin group but which are not included in the
Power Users group, then simply add those rights to the Power Users group
(instead of moving them back to the Admin group).
 
Back
Top