You can use the free tools from SysInternals called filemon and regmon to
find where access is being denied and try to give the group needed access
which may also include write and modify. You would have to logon as the
restricted user and then start filemon with runas specifying admin
credentials and then try to run the restricted application. As soon as it
fails stop filemon logging, look for denied access entries [you can use
filter view to highlight specific searches] , tweak permissions for the
group for that file/folder and try again in a trial and error basis. You may
also have to use regmon to look for access denied for registry keys. Suspect
areas would be the application folder or folders in program files,
subfolders for the application in program files\common files, and subfolder
for the application in documents and settings\all users\application data.
Note however it is not always possible to allow a regular user to run
everything that an administrator can [such as secpol.msc for example] due to
hard coded restrictions in the operating system that only allow
administrator/system access which will often show as an object access
failure if auditing of object access is enabled which it should not be on a
routine basis. --- Steve
http://www.sysinternals.com/Utilities/Filemon.html --- filemon and link to
SysInternals
"Justin" <(E-Mail Removed)> wrote in message
news:90A8A9F2-E408-4A5F-8AE4-(E-Mail Removed)...
> Sarbanes and Oxley have been auditing our company and they have given us
> the
> role as IT to restrict user access on our network. My question is what
> "group" would I add a user so that he/she will be restriced to install any
> 3rd party software such as google toolbar, or messngers, but still be able
> to
> pull down windows and norton antivirus updates? Ive tried this on power
> user
> and it doesnt work for the updates it says i have to be logged in as
> ADMIN,
> however it does not allow installation of the google toolbar which was
> good.
> I need help. Thanks
Similar Threads
