Programs that need admin rights, but user shouldn't have them

  • Thread starter Thread starter Repent34
  • Start date Start date
R

Repent34

I have several programs that users need to run. These programs require the
user to have local machine and domain local admin rights. I have noticed
that they are now able to bypass alot of the GPO settings because of their
admin rights. Is there a setting in the GPO's that will make the GPO's
apply to them as well. I want these users to be as restricted in what they
can do as everyone else.

chris
 
1. complain to the application vendor that their application is not "well
behaved" and they should modify it so it doesn't need "Administrator"
privileges.

2. in many such cases, applications only need the ability to modify files in
some folders that "Users" are not permitted by default to change. For
example, many "ill behaved" applications insist on storing data or
configuration information in their Program Files folder. In these cases, if
you grant Users "Modify" permission to those folders, they will no longer
need to be "Administrators" to run the application.

3. the Security Template called "compatws" selectively modifies permissions
on some folders and registry entries in such a way the "ill behaved"
applications can run with only User privileges. You apply Security
Templates using the "Security Configuration and Analysis" MMC snap-in.

4. in some cases, the application's installation process will allow you to
specify where data and configuration files are to go. If you specify a
location that Users can Modify, they won't need to be Administrators to run
the application.

5. in some cases, the application's configuration files or registry entries
can be modified to specify that data files are to be stored in a location
other than the default. If this is the case, you can move the data files to
a location that Users can modify. You may have to contact the vendor or do
some investigation (using a tool like regmon or filemon from System
Internals) to find out if this is practical.

If none of the above is useful:

6. some settings made via GPOs can not be overriden by anyone that is an
Administrator on the computer (e.g. some of the Windows XP Firewall
settings), but others CAN be overriden by a local administrator. There is
not much you can do about this except not make the user an Administrator.
Often, the "Explain" or "Help" for these settings indicates whether a local
administrator can override the setting or not.

7. the GPO(s) may have Security Filtering or "Delegation" that prevents the
GPO from applying to user accounts in certain groups (e.g. a domain group
used to grant Administrator rights on workstations). In this case, it may
be possible to have one group for "true administrators" and another group
for "users that need to be administrators to run applications". Both groups
could be added to the local administrators group on the workstation. Then,
you could cause the GPO to be applied for the second group, but not the
first (but see 6 above).
 
Bruce;

thanks for the detailed reply.

I am seeing #6 to be true. Some GPO settings stick and some don't. I did
see in some of the helps that some settings talked about being able to be
overwritten by local admins. Laziness on the part of the software vendors
I'd guess. One of my biggest culprits is UPS Worldship. I think I may try
a combination of 6-7. I like the idea of groups.

I'll post here when I find the solution that works.

chris
 
Looks like I actually got by by just upgrading the permissions on the
folders for domain\username to admin rights.

Done
 
Repent34 said:
I have several programs that users need to run. These
programs require the
user to have local machine and domain local admin rights. I
have noticed
that they are now able to bypass alot of the GPO settings
because of their
admin rights. Is there a setting in the GPO's that will make
the GPO's
apply to them as well. I want these users to be as restricted
in what they
can do as everyone else.

chris
Click to expand...

Hi,

I haven’t met a program yet that I can’t make run under a Regular User
with a few individual file "write" access permissions and a few
specific registry "write" access permissions. I run everything from
AutoCad to Adobe. Now over the years, Adobe and Macromedia have become
very well behaved but AutoCad is still bad.

It actually is quite easy to do. 1> Install your "badly behaved"
programs on a test machine. Login as an Admin. Run the application
and then Search the HD for any files for todays date with a time that
is the same as when you ran the app. With the exception of the
recognized "system.dat" files etc. you can see what files that need
write access.

For the registry it is a little trickier. You can use inctrl5 to do a
scan of files and folders as well as reg keys
http://www.sd61.bc.ca/windows2000/downloads/inctrl5.zip

Or you can just open up the Registry and give users "Full Control"
Permissions on the HKLMachine-Software-SoftwareCompanyName.

However, IF I were you I would Contact UPS and ask for a software
update that runs under Windows XP regular user. It is in their best
interest to make their software as compatable with their users’
networks as possible. If it were my network, whether their software
would run under Windows XP regular user would be the "make or break"
dealmaker as to whether I used UPS or another shiping company.

I have had great success with contacting companies about this. So far
AutoDesk is the only one who has yet to conform.

Cheers,

Lara
 
Good. That is quite often the case for what I call "badly behaving"
programs!

A design rule for applications since NT 4 (and actually Windows 95) is that
applications should not store data and configuration files that are updated
during normal operation in the Program Files folder. Unfortunately, there
are a lot of application developers and vendors that don't seem to be
getting this message!

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Back
Top