User rights to modify hive

  • Thread starter Thread starter Andy
  • Start date Start date
A

Andy

Hello, I've got a Windows 2000 domain with 2kPro/XP Pro
workstations. We are currently rolling out a new app that
requires the client to have the privilege to edit a few
keys. So far I can only get it to work by making my
users "Domain Admins". Is there a way to remove my users
from the "Domain Admins" group and still allow the right
to edit the hive?? Thanks.
 
Add the user's domain account to the local machine administrator's group.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


:
| Hello, I've got a Windows 2000 domain with 2kPro/XP Pro
| workstations. We are currently rolling out a new app that
| requires the client to have the privilege to edit a few
| keys. So far I can only get it to work by making my
| users "Domain Admins". Is there a way to remove my users
| from the "Domain Admins" group and still allow the right
| to edit the hive?? Thanks.
 
Hello, I've got a Windows 2000 domain with 2kPro/XP Pro
workstations. We are currently rolling out a new app that
requires the client to have the privilege to edit a few
keys. So far I can only get it to work by making my
users "Domain Admins". Is there a way to remove my users
from the "Domain Admins" group and still allow the right
to edit the hive?? Thanks.
Absolutely. First, you need to know which keys specifically the app
writes to. If you don't know them, I suggest you use Registry Monitor
from www.sysinternals.com to catch these.
At last, it all comes down to permissions. To test, on a one client
machine use Regedt32.exe (or regedit in WinXP and above,they're now the
same) - right-click a key and select "Permissions...", "Advanced" and
set the special permissions (it's not a security best practice to give
the users Full control, however if you don't consider this specific case
a compromise then go with it). If it works, you can set these
permissions to all the respective client machines using group policy
under Computer configuration\Windows Settings\Security Settings
\Registry.

HTH
--
Cheers,
Marin Marinov
MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
Back
Top