Limit administrators permissions

  • Thread starter Thread starter Evan
  • Start date Start date
E

Evan

Hi,

In our company all users on XP are local administrators on
their workstations to allow all the legacy apps to
function.

I would like to restrict the administrators group rights
on the workstation and more importantly prevent users from
accessing other users local profiles in Documents and
Settings. How would I go about doing that?

Any help would be greatly appreciated.

Thanks.
Evan
 
One of the main applications that we have on the XP SP2
image is Hummingbird DM 5 and it needs the user to be
local admin, otherwise it does not install the Office
2003 integration bits. It writes to HKLM etc etc. Bad app
but we have no choice. So that's why we need users to have
local administrator access. Believe me, we tried have it
the other way but it delayed our project to much.

I would expect users not to know how to give themselve the
rights again. So if you have any ideas on how to do it I
would greatly appreciate them.

Thanks
Evan
 
Evan said:
One of the main applications that we have on the XP SP2
image is Hummingbird DM 5 and it needs the user to be
local admin, otherwise it does not install the Office
2003 integration bits.
Click to expand...

You say install, but do you mean every single time you run it it needs to
install something? If not, why not temporarily grant the user local admin
rights, install what's needed, and revoke rights?

Does the app developer have a new version or workaround? I would complain up
a storm about this - it's simply bad programming.
It writes to HKLM etc etc.
Click to expand...

Can't you change the permissions on the keys?
Have you tried FileMon and RegMon from www.sysinternals.com?
Bad app
but we have no choice. So that's why we need users to have
local administrator access. Believe me, we tried have it
the other way but it delayed our project to much.

I would expect users not to know how to give themselve the
rights again. So if you have any ideas on how to do it I
would greatly appreciate them.
Click to expand...

You cannot expect to limit an administrator, really.
 
One of the main applications that we have on the XP SP2
image is Hummingbird DM 5 and it needs the user to be
local admin, otherwise it does not install the Office
2003 integration bits.
Click to expand...


I'm not the least bit familiar with Hummingbird 5, but from the above
statement I wonder if one could set the user up as admin for the install and
first run of the app, then remove the user form the admin group. Would the
program run fine for them then? Or does the Office part get installed each
time the program starts?

If not I think your best bet would be to contact the maker of the app. There
is not much you can do to lock down the admin of the computer.

hth
DDS W 2k MVP MCSE
 
We had then onsite. It can't be done.

All I want to do is remove the administrators group's ability to view
everyones profile in documents and settings. The rest of the workstation we
are locking down with AD group policies.

Here's my thinking:

Remove the administrators group from the documents and settings folder
permissions.
Add authenticated users and then change the permissions so that domain users
can login, their profile get's created and they can see their own docs ands
stuff but cannot access everyone elses.
 
Remove the administrators group from the documents and settings folder
permissions.
Click to expand...


This would not be a solution if it did work, they could just add themselves
back. The problem is with the bad application that forces you to put users
in the admin group not the OS.

hth
DDS W 2k MVP MCSE
 
All I want to do is remove the administrators security group's ability to view
everyones profile in documents and settings.
 
You might want to try this. It can always be un-done by the other
administrator but they would need to be pretty sophisticated users.

1 Remove the administrators group from the documents and settings folder
security.
Then
2 Use Group Policy to remove the Security Tab

Click on Start button, then Run and type "gpedit.msc", without the quotes.
Click on User Configuration/Administrative Templates/Widows
Components/Windows Explorer then click on Remove Security Tab and then click
Enable

Good Luck,
Mike
 
Evan said:
One of the main applications that we have on the XP SP2
image is Hummingbird DM 5 and it needs the user to be
local admin, otherwise it does not install the Office
2003 integration bits. It writes to HKLM etc etc. Bad app
but we have no choice. So that's why we need users to have
local administrator access. Believe me, we tried have it
the other way but it delayed our project to much.

I would expect users not to know how to give themselve the
rights again. So if you have any ideas on how to do it I
would greatly appreciate them.

Thanks
Evan
Click to expand...

Evan, the tipical solution to fix such applications is to use filemon/regmon
to determine where the app reads/writes and change the ACLs but it looks
that you have already tied the path.

I'm jumping into the thread because we do have a solution -- not free -- but
a solution nonetheless. Our company sells a solution that would allow you to
remove the users from the local admins group and elevate the privileges only
for the Hummingbird DM application. If interested to give NeoExec/AD a go
the check it out on www.neovalens.com

cheers,
Marco

marco [alla] neovalens [punto] com
 
Evan said:
All I want to do is remove the administrators security group's
ability to view everyones profile in documents and settings.
Click to expand...

You can't stop administrators from doing anything.
 
:

All I want to do is remove the administrators group's ability to view
everyones profile in documents and settings. The rest of the workstation we
are locking down with AD group policies.
Click to expand...

I'm not sure but I think that if you make the folders private person
wouldn't be able to see everyones documents.

BTW have you considered product like VirtualPC for your software.

Mitja
 
Back
Top