How to grant an app Admin privaleges?

  • Thread starter Thread starter Fran
  • Start date Start date
F

Fran

I have three apps that users are required to use that must have local
administrator access to run. I'm not sure what they need admin access
for yet but they certainly won't run without it.

I have a reluctance to grant every user that runs these apps local
admin access (especially with all the sypware out there now.)

I've tried RUN AS but that doesn't grant enough privaleges apparently
as they won't run under "Run As".

Is there a way I can grant admin access to ONLY the application(s) and
not the users in general? I can't count the hours I've spent trying to
remove spyware and dopy apps some of these users d/l or bring in from
home.

-Fran-
 
There is no native way to do such. Windows XP Pro can use Software
Restriction Policies to restrict what applications a user can install or
run - even the local administrator. Otherwise you can try to get the
application to work as a regular user by modifying ntfs and registry
permissions though that will not always work if administrator access is
required that can not be given to a regular user through changing
ntfs/registry permissions or user rights. If the application will work when
the user is a power user then it is possible for sure. The main areas to
check are the application folder in program files, any application subfolder
in program files\common files, and application subfolder in the documents
and settings\all users\application data folder, and for the application
folder registry key in hklm\software. You would want to give users write or
possibly modify permissions to those locations.

Beyond that you can use the free tools from SysInternals called filemon and
regmon to try and track down "access denied" log entries for a regular user
when the application is run. Since their may be multiple places where
permissions need to be modified you would have to continue to run
filemon/regmon in a trial end error basis after making permission changes to
allow a user access to the file or registry key where they were denied
access until no more access denied log entries are found. To be able to do
this you need to logon as a regular user, execute filemon or regmon via
runas with admin credentials just before you try to run the application, and
stop logging of filemon/regmon as soon as the application fails and view
the logs for access denied. The log can contain thousands of entries but you
will learn to scan them fairly fast. It may also be helpful to enable
auditing of object access and privilege use for failure to see if entries
are recorded in the security log that may also prove helpful. A failure of a
privilege use mean the user does not have the user right as shown in Local
Security Policy. --- Steve

http://www.sysinternals.com/ntw2k/source/filemon.shtml
 
Thanks, Steve. I grabbed the tools. Yes, there is a bit of info
captured by them!

I will begin running tests real time on Monday. I appreciate your
help. Do I use RegEdit to change permission to key(s) so the program
can write to them? Is that how that works?

Also, is there a way I can assign any of this through a group policy
or will I have to do this for EVERY user on the LAN that uses these
apps?

-Fran-
 
Yes you can use regedt32 or regedit to change permissions to a registry key
similar to the way to change folder permissions. You can apply registry and
file permissions via Group Policy. If you go to computer
configuration/Windows settings/security settings - registry and/or file
system. If you try to create a new entry that is not on the computer where
you are configuring the policy you can simply enter the file or registry
path. I suggest doing this ONLY at the organizational unit level so as to
not affect domain controllers and other servers. If you do try such, test it
out on a few computers that you place in the OU where you configure file
system and/or registry settings before you roll it out on a larger scale.
Also note that if you remove file system/registry settings the changes that
they implemented stay in place on the computers that they were applied
o. --- Steve
 
Back
Top