User rights on PC...

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello

Until now we did configure our users to be local administrators through
restricted groups in a GPO. This was really good because we had no problem
when deploying applications or access anything on the local drive. But for
understandable security reasons we try now to restrict the rights of the
users on their PC and found some questionnable things when applying those new
settings:
1- when a user is just member of the user or even power user group of the
PC, he cannot change the size of the policy applied for the desktop (I talk
about the settings in the display option where you can change from 96 to 120
dpi)
2- what about software that requires such rights that it even needs
admnistrator rights when opening for the first time and therefore trying to
create the user's profile for the application. We have such an application:
we can install it by using RUNAS options, but when the user opens the
applications, a small installation takes place that also requires
administrator rights
3- what about applications that install an INI file in the Windows directory
and the user with normal rights has no chance to change the settings of the
application because he cannot modify the INI file...

These are a few examples of what happens now. I do not ask for a solution on
every problem we have but rather would know how IT people get generally over
it.

If you have some good ideas, I'd be really thankfull because I really
consider moving back to the old configuration.

Nicolas
 
Hi

1. I have no clue how to solve that.

2. and 3. Combined with installing applications you can alter the security
(NTFS and registry) using GPO's as well so if you find where the program(s)
try to create/modify files you can, using GPO, adjust the security in a much
easier way.
If you install applications via GPO (in the computer section of the GPO) it
will install the applications with the LOCAL SYSTEM account which gives it
rights to do it.
Your product supplier should also know which rights in the system you need
to get it working so maybe asking them gives you a shortcut (instead of
trying to find out yourself).
 
Back
Top