Grant Application Access with a GPO

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a program that needs to run on all of the client computers on my
network. .

The problem is that the software will only run if the Domain User account is
setup as an Administrator on the client machine. This I do not like.

I was wondering if I can grant the required access to the program with GPO.
I found in Group Policy\User Configuration\Admin Templates\Run only allowed
Windows applications. This is the only thing I can find that has to do with
giving program access, but does not appear to be what I need.

Also, it is an older application the does not use Windows Installer, so I
don’t think I can use the Software Installation function. Or can I?

Can this be done with a GPO, or by any other method?
I am kind of at a loss on what to do here, so any suggestions would be great.

Thanks,
stikfa
 
I am sure that this is not true. Err, meaning that the domain user account
object needing to be a member of the Local Administrators group. Generally
the application needs to have access to certain areas of the registry and to
certain directories during installation. Obviously, when the user account
object is a member of the default Local Users group there are not enough
permissions / rights. Probably the same for Local Power Users group.

You can go to http://www.sysinternals.com and look at filemon and regmon.
Follow the instructions and you will find out just exactly what is causing
the problem(s). The solution should be easy from there.

And I am sure that the application simply needs these rights / permissions
during the installation - not actually to be used!

And, I think that you might be looking at the Software Restriction
backwards.

To use GPO to install software you need an .msi file. If one does not come
natively then you would need to create one. There are many third party
applications that can do this. One free software app that can do this comes
with WIN2000 Server. It is called WinInstall Lite. You might want to look
into this....

I would use filemon and regmon to solve this, though. It might be a bit
involved but once you do it a couple of times it gets easier and easier!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Hi,
The problem is that the software will only run if the Domain User
account is setup as an Administrator on the client machine. This I do
not like.
Click to expand...

I have hundreds of pieces of software I have tweaked to run under a
read-only machine. My users have no write access except to their
HomeDrive on the server.

I use inctrl5 to find out what reg keys and what specific files need
access and then I give write access to only those keys and files.
Works fine so far. Even got AutoCad 2004 full version to run under a
read-only account and they said that I couldn’t do it.

http://www.sd61.bc.ca/windows2000/downloads/inctrl5.zip

Cheers,

Lara
 
Back
Top