How to give non-admin user ability to chkdsk drive?

  • Thread starter Thread starter Dave R.
  • Start date Start date
D

Dave R.

On some Vista Business systems I deploy, I need to be able to give
non-admin uers the ability to chkdsk drives. I found the "Perform
volume maintenance tasks" user rights policy, but that isn't doing it.

Anyone know if it is even possible (I know some things can only be done
by Administrators), and if so, how?

Regards,

Dave
 
Dave R. said:
On some Vista Business systems I deploy, I need to be able to give
non-admin uers the ability to chkdsk drives. I found the "Perform
volume maintenance tasks" user rights policy, but that isn't doing it.

Anyone know if it is even possible (I know some things can only be
done by Administrators), and if so, how?
Click to expand...

Widening the net to include a couple of additional newsgroups...

Does anyone know if this can be done, and of so, how?

Regards,

Dave
 
Dave R. said:
Widening the net to include a couple of additional newsgroups...

Does anyone know if this can be done, and of so, how?
Click to expand...

Even on XP, I don't think you can run ChKdsk without admin rights on XP if
the file system is NTFS and you can't do it on Vista with the file system
being NTFS. The only way you can do it is if the file system is FAT32 -- no
security.
 
Mr. Arnold said:
Even on XP, I don't think you can run ChKdsk without admin rights on
XP if the file system is NTFS and you can't do it on Vista with the
file system being NTFS. The only way you can do it is if the file
system is FAT32 -- no security.
Click to expand...

That's what I was afraid of. Any idea why this would be restricted to
administrators only?

Regards,

Dave
 
Dave R. said:
That's what I was afraid of. Any idea why this would be restricted to
administrators only?
Click to expand...

Because they are administrators that administer the O/S?
 
Dave said:
That's what I was afraid of. Any idea why this would be restricted to
administrators only?
Click to expand...

Because only administrators should have file system level access to the
contents of the hard drive; it's not something regular users should ever
have to do.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Mr. Arnold said:
Because they are administrators that administer the O/S?
Click to expand...

I'm aparently not being clear, so let me try again:

Why can't I as an administrator give the ability to do any administrator
task to another user without giving them the ability to do ALL
administrator tasks? That design seems lacking to me.

Regards,

Dave
 
Bruce Chambers said:
Because only administrators should have file system level access to
the contents of the hard drive; it's not something regular users
should ever have to do.
Click to expand...

The problem with that approach is that it lacks granularity in privilige
assignment. Just because a user can be trusted to do some aspects of
system administration does not necessarily mean they can be trusted to
perform all aspects of system administration. Yet, in this case (and
others I keep running across), I cannot separate the ability to do a
simple disk check from the ability to do ALL administrative tasks.

We are trying to put into place a concept of a "System Maintainer" -
someone who can handle many aspects of system maintenance, but doesn't
have the keys to the kingdom as it were. Unfortunately, we are being
thwarted by the security model built into Windows. If anyone has any
ideas on how to approach this in a Windows (specifically, Vista)
environment, I'm all ears.

Regards,

Dave
 
Command-line utilities can be run from standard user without prompts if the
application is given a manifest assigning highestAvailable. Unfortunately,
this may also not give the results you want...
The higher privileged application will open in a separate "DOS" window and
close without providing the user an opportunity to read any information
presented. ChkDsk can be assigned in this method to run on the next boot
where the information will be provided to the user, or the logfile that
ChkDsk could be reviewed after running, but no protected area sectors can be
repaired while run from a standard user.

Again, this is probably not what you wanted.
Easier would be to setup ChkDsk to run each boot by marking the disk as
"dirty" during network initialization.
Again, missing the concept. You want to provide the standard user the
ability to run certain applications while running Windows.

I don't think that exists. Nor did it exist in prior versions. (They were
simply running as administrator and you restricted those functions you did
not want to give to them.)
 
Dave said:
We are trying to put into place a concept of a "System Maintainer" -
someone who can handle many aspects of system maintenance, but doesn't
have the keys to the kingdom as it were.
Click to expand...


Part of the problem is that, for some reason, you're mistakenly
thinking of Chkdsk as some sort of routine maintenance tool. It isn't.
It's designed to find and correct problems with the hard drive
(limited, to be sure) and the file system. It has no preventative
value, at all. All it's routine periodic use would do is unnecessarily
increase the wear and tear on the hard drives.

And granting ordinary (or even power users) the ability to alter the
very foundation on which the OS, applications, and data rests is very
much granting the "keys to the kingdom."


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Bruce Chambers said:
Part of the problem is that, for some reason, you're mistakenly
thinking of Chkdsk as some sort of routine maintenance tool.
Click to expand...

No, I'm not. I'm thinking that *some* aspects of system administration
can be handled by *some* users who have *some*, but not all, of the
rights/privileges of system administrators.
It isn't. It's designed to find and correct problems with the hard
drive (limited, to be sure) and the file system.
Click to expand...

I'm fully aware of chkdsk's purpose and usage, thanks.
It has no preventative value, at all.
Click to expand...

I'm not looking for "preventative value".
All it's routine periodic use would do is unnecessarily increase the
wear and tear on the hard drives.
Click to expand...

First, I'm not looking for it to be used "periodically" or "routinely".
Second, if you actually believe this, then you have no idea how a hard
drive functions. That's like saying "the routine periodic reading of
data from hard drives unnecessarily increases the wear and tear on the
hard drives."
And granting ordinary (or even power users)
Click to expand...

I'm not looking to give "ordinary" users, or "power users", this
ability. You should stop trying to divine my intent as you are
consistently making incorrect assumptions.
the ability to alter the very foundation on which the OS,
applications, and data rests is very much granting the "keys to the
kingdom."
Click to expand...

No, it is granting *a* key to *one part* of the kingdom. A key that I
trust certain users to have. What is it about this that bothers you so
much?

Regards,

Dave
 
Thanks for the constructive reply, Mark. I'll take a closer look at
your suggestions and ideas and see if they can get me where I want to
go.

Regards,

Dave
 
This is an interesting thread. A bit hostile, but interesting.

You have the answer to your question, obviously it is not the answer you are
looking for. For the last few replies, the conversation has degraded into a
tit for tat, exchange which still will not change anything.

At the risk of incurring more enmity...the granularity that you seek is
available in Vista/server 2008. Technology evolves; things that were not
possible (for whatever reason) are added in later versions -Granularity of
administrative functionality is now possible in the latest version of
Microsoft server/client OS. Might be time to upgrade if this is something
that you need.

If you must have the functionality in your present version of software, it
might be worthwhile to create a function/macro with the ability you need.
Compile it with the appropriate permissions then deploy it thru GPO? You
seem knowledgeable, more than capable to handle the coding. It can be done.
 
Back
Top