User rights Problem

[Mitch Johnson]

I have a pesky problem that currently requires me to have users in the
domain admins group until we can resolve the issue.

we recently installed a program called Attachmate Extra on a handful of PCs.
Each time the program launches it attempts to write to registry. When we
put them in the Domain Admins group it works fine. As you can imagine we're
not too keen on this idea, so we've held back on this until we can solve the
problem.

Any help would be greatly appreciated.

 

[Johan Arwidmark]

Use regmon from sysinternals to find out which registry keys that the
user needs permission to and assign that permission (for example using
a Group Policy)

regards
Johan Arwidmark

Windows User Group - Nordic
http://www.wug-nordic.net

 

[Cary Shultz [A.D. MVP]]

Mitch,

What Johan is suggesting is a very good idea. I would look into this
quickly.

Another way to patch this problem up is to place the users involved into the
computer's Local Administrator group. I am not a fan of doing this at all
and very typically STRONGLY suggest that this not be done. However, in your
situation I would suggest this over leaving the users as a member of the
Domain Admins group.

You see, by making the users involved a member of the Domain Admins group
( which is something that I STRONGLY STRONGLY STRONGLY discourage ) you
are - by default - making them a member of the computer's Local
Administrator group. By default, the Domain Admins group is a member of
each computer's Local Administrator group. Naturally, this applies to
WIN2000 and WINXP computers.

So, placing the users involved temporarily into the Local Administrator
group on the computers involved would be the lesser of two evils. Once you
follow Johan's suggestion and figure out to what registry entries they need
access and grant that access you can remove the users involved from the
computer's Local Administrator group.

HTH,

Cary

 

[Mitch Johnson]

Thank-you, I'll try that Monday Morning.

Mitch,

What Johan is suggesting is a very good idea. I would look into this
quickly.

Another way to patch this problem up is to place the users involved into the
computer's Local Administrator group. I am not a fan of doing this at all
and very typically STRONGLY suggest that this not be done. However, in your
situation I would suggest this over leaving the users as a member of the
Domain Admins group.

You see, by making the users involved a member of the Domain Admins group
( which is something that I STRONGLY STRONGLY STRONGLY discourage ) you
are - by default - making them a member of the computer's Local
Administrator group. By default, the Domain Admins group is a member of
each computer's Local Administrator group. Naturally, this applies to
WIN2000 and WINXP computers.

So, placing the users involved temporarily into the Local Administrator
group on the computers involved would be the lesser of two evils. Once you
follow Johan's suggestion and figure out to what registry entries they need
access and grant that access you can remove the users involved from the
computer's Local Administrator group.

HTH,

Cary

solve

 

[Cary Shultz [A.D. MVP]]

Mitch,

You are welcome. Please let us know how it works out.

Also, if you have a ton of PCs ( I know that you mention 'a handful' for
this particular exercise ) you might want to look into Restricted Groups,
which is something that you can do from within AD. This allows you to do
several things.

Cary