PC Review


Reply
Thread Tools Rate Thread

computer account and application management strategy

 
 
ILiya
Guest
Posts: n/a
 
      25th Jan 2005
As a best practice, it is often recommended to run workstation as a regular
user for security reasons.
The problem I see is however with application installation process. Most of
applications keep their settings in the registry, which can be grouped into
per-computer and per-user settings. They are stored in HKCU and HKLM
registry branches respectively.
In order to install an application the setup program must be run with
Administrator account privileges, probably using runas command prompt
utility to impersonate the user without having to completely log-off.
The setup program will write HKLM registry settings correctly however the
user part HKCU will be screwed up because registry has its own HKCU zone for
each defined user, so when the setup program will write the current user
registry settings, it will only see Administrator HKCU and not the one I use
when running workstation. This will lead to an odd application behavior or
even cause application malfunctioning.

For example, when I decided to add a new newsgroup server to Outlook
Express, I forgot to run it as Administrator and made the operation as a
regular user (no warnings or low access messages were displayed), this
resulted to all the newsgroups folders were showing absolutely nothing
despite the fact they were full of postings. I could only view the newsgroup
folders in OE under Administrator account.
So, I had to runas Administrator the OE, configure all the settings, runas
Administrator regedit applet, export all the OE settings from HKCU and then,
manually import them as a user into my HKCU to reflect OE configuration in
my domain.

So the reason I wrote this post is I see neither runas nor logging in as
Administrator to be not a very good way to install applications. As far as I
see temporary for application installation period raising user privileges
to be the best installation approach. Maybe there is the uility like runas
which can temporary raise the privileges living all the user associations
alone.

I'd like to see the other views and opinions on the subject.

Thanks


 
Reply With Quote
 
 
 
 
Bhargav Shukla
Guest
Posts: n/a
 
      25th Jan 2005
I have found most Windows Certified programs work around this problems. If
you intend to run all programs as users but install applications as
administrator, you can run same install again after it is already installed
as administrator. This way it will see that the program is already installed
by administrator and it will make necessary registry changes for the user
that is trying to install the application now. I have done this couple of
times and it works. It may not work all the time with all the applications
but I believe most Windows aware applications should be able to do what I
described.

Another way (if the question relates to larges userbase and you are an
admin) is to use GPO and publish the application. That way the application
will be available in add/remove programs and users can install the
applications that they need without administrator intervention.

Hope this helps.

Thanks,
Bhargav




"ILiya" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> As a best practice, it is often recommended to run workstation as a
> regular
> user for security reasons.
> The problem I see is however with application installation process. Most
> of
> applications keep their settings in the registry, which can be grouped
> into
> per-computer and per-user settings. They are stored in HKCU and HKLM
> registry branches respectively.
> In order to install an application the setup program must be run with
> Administrator account privileges, probably using runas command prompt
> utility to impersonate the user without having to completely log-off.
> The setup program will write HKLM registry settings correctly however the
> user part HKCU will be screwed up because registry has its own HKCU zone
> for
> each defined user, so when the setup program will write the current user
> registry settings, it will only see Administrator HKCU and not the one I
> use
> when running workstation. This will lead to an odd application behavior or
> even cause application malfunctioning.
>
> For example, when I decided to add a new newsgroup server to Outlook
> Express, I forgot to run it as Administrator and made the operation as a
> regular user (no warnings or low access messages were displayed), this
> resulted to all the newsgroups folders were showing absolutely nothing
> despite the fact they were full of postings. I could only view the
> newsgroup
> folders in OE under Administrator account.
> So, I had to runas Administrator the OE, configure all the settings, runas
> Administrator regedit applet, export all the OE settings from HKCU and
> then,
> manually import them as a user into my HKCU to reflect OE configuration in
> my domain.
>
> So the reason I wrote this post is I see neither runas nor logging in as
> Administrator to be not a very good way to install applications. As far as
> I
> see temporary for application installation period raising user privileges
> to be the best installation approach. Maybe there is the uility like runas
> which can temporary raise the privileges living all the user associations
> alone.
>
> I'd like to see the other views and opinions on the subject.
>
> Thanks
>
>



 
Reply With Quote
 
 
 
 
ILiya
Guest
Posts: n/a
 
      26th Jan 2005
Thank you for you kind feedback Shukla,
Would you please shed some more light on the GPO issue. I'm interested.

"Bhargav Shukla" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have found most Windows Certified programs work around this problems. If
> you intend to run all programs as users but install applications as
> administrator, you can run same install again after it is already

installed
> as administrator. This way it will see that the program is already

installed
> by administrator and it will make necessary registry changes for the user
> that is trying to install the application now. I have done this couple of
> times and it works. It may not work all the time with all the applications
> but I believe most Windows aware applications should be able to do what I
> described.
>
> Another way (if the question relates to larges userbase and you are an
> admin) is to use GPO and publish the application. That way the application
> will be available in add/remove programs and users can install the
> applications that they need without administrator intervention.
>
> Hope this helps.
>
> Thanks,
> Bhargav
>
>
>
>
> "ILiya" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > As a best practice, it is often recommended to run workstation as a
> > regular
> > user for security reasons.
> > The problem I see is however with application installation process. Most
> > of
> > applications keep their settings in the registry, which can be grouped
> > into
> > per-computer and per-user settings. They are stored in HKCU and HKLM
> > registry branches respectively.
> > In order to install an application the setup program must be run with
> > Administrator account privileges, probably using runas command prompt
> > utility to impersonate the user without having to completely log-off.
> > The setup program will write HKLM registry settings correctly however

the
> > user part HKCU will be screwed up because registry has its own HKCU zone
> > for
> > each defined user, so when the setup program will write the current user
> > registry settings, it will only see Administrator HKCU and not the one I
> > use
> > when running workstation. This will lead to an odd application behavior

or
> > even cause application malfunctioning.
> >
> > For example, when I decided to add a new newsgroup server to Outlook
> > Express, I forgot to run it as Administrator and made the operation as a
> > regular user (no warnings or low access messages were displayed), this
> > resulted to all the newsgroups folders were showing absolutely nothing
> > despite the fact they were full of postings. I could only view the
> > newsgroup
> > folders in OE under Administrator account.
> > So, I had to runas Administrator the OE, configure all the settings,

runas
> > Administrator regedit applet, export all the OE settings from HKCU and
> > then,
> > manually import them as a user into my HKCU to reflect OE configuration

in
> > my domain.
> >
> > So the reason I wrote this post is I see neither runas nor logging in as
> > Administrator to be not a very good way to install applications. As far

as
> > I
> > see temporary for application installation period raising user

privileges
> > to be the best installation approach. Maybe there is the uility like

runas
> > which can temporary raise the privileges living all the user

associations
> > alone.
> >
> > I'd like to see the other views and opinions on the subject.
> >
> > Thanks
> >
> >

>
>



 
Reply With Quote
 
Bhargav Shukla
Guest
Posts: n/a
 
      26th Jan 2005
There are two ways you can use GPO's. You can assign software or you can
publish the software. You can assign/publish it to computer or you can
assign/publish it to user. Assign software when you want it installed on
every machine or to every user in scope of GPO. Publish software when you
want it available to computers/users in scope of GPO but not install it
until needed.

When you use GPO to roll out software (I'm assuming you are an Active
Directory environment, GPO is not for workgroup environment) it can do many
things alongwith software deployment. What you want to use GPO for is upto
each administrator's requirements (or that of company's to meet their
goals).

It would be too much to post on how to use GPO and how to assign/publish
software here. I would post some useful links. Hope that helps.

http://www.microsoft.com/windowsserv...y/default.mspx
(the link is from Windows 2003 but it can be used as general guidelines).

Thanks,
Bhargav



"ILiya" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thank you for you kind feedback Shukla,
> Would you please shed some more light on the GPO issue. I'm interested.
>
> "Bhargav Shukla" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I have found most Windows Certified programs work around this problems.
>> If
>> you intend to run all programs as users but install applications as
>> administrator, you can run same install again after it is already

> installed
>> as administrator. This way it will see that the program is already

> installed
>> by administrator and it will make necessary registry changes for the user
>> that is trying to install the application now. I have done this couple of
>> times and it works. It may not work all the time with all the
>> applications
>> but I believe most Windows aware applications should be able to do what I
>> described.
>>
>> Another way (if the question relates to larges userbase and you are an
>> admin) is to use GPO and publish the application. That way the
>> application
>> will be available in add/remove programs and users can install the
>> applications that they need without administrator intervention.
>>
>> Hope this helps.
>>
>> Thanks,
>> Bhargav
>>
>>
>>
>>
>> "ILiya" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > As a best practice, it is often recommended to run workstation as a
>> > regular
>> > user for security reasons.
>> > The problem I see is however with application installation process.
>> > Most
>> > of
>> > applications keep their settings in the registry, which can be grouped
>> > into
>> > per-computer and per-user settings. They are stored in HKCU and HKLM
>> > registry branches respectively.
>> > In order to install an application the setup program must be run with
>> > Administrator account privileges, probably using runas command prompt
>> > utility to impersonate the user without having to completely log-off.
>> > The setup program will write HKLM registry settings correctly however

> the
>> > user part HKCU will be screwed up because registry has its own HKCU
>> > zone
>> > for
>> > each defined user, so when the setup program will write the current
>> > user
>> > registry settings, it will only see Administrator HKCU and not the one
>> > I
>> > use
>> > when running workstation. This will lead to an odd application behavior

> or
>> > even cause application malfunctioning.
>> >
>> > For example, when I decided to add a new newsgroup server to Outlook
>> > Express, I forgot to run it as Administrator and made the operation as
>> > a
>> > regular user (no warnings or low access messages were displayed), this
>> > resulted to all the newsgroups folders were showing absolutely nothing
>> > despite the fact they were full of postings. I could only view the
>> > newsgroup
>> > folders in OE under Administrator account.
>> > So, I had to runas Administrator the OE, configure all the settings,

> runas
>> > Administrator regedit applet, export all the OE settings from HKCU and
>> > then,
>> > manually import them as a user into my HKCU to reflect OE configuration

> in
>> > my domain.
>> >
>> > So the reason I wrote this post is I see neither runas nor logging in
>> > as
>> > Administrator to be not a very good way to install applications. As far

> as
>> > I
>> > see temporary for application installation period raising user

> privileges
>> > to be the best installation approach. Maybe there is the uility like

> runas
>> > which can temporary raise the privileges living all the user

> associations
>> > alone.
>> >
>> > I'd like to see the other views and opinions on the subject.
>> >
>> > Thanks
>> >
>> >

>>
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Any file management strategy? Author #1 Microsoft ASP .NET 5 14th Aug 2009 04:03 PM
Can NOT find "Local users and groups" in Control Panel -> Management Tools -> Computer Management! dave Windows Vista General Discussion 3 30th Jun 2007 03:08 PM
Is there a way to synchronize favorites between 2 computers? i.e. copy any favorites on computer A but not computer B to computer B and any on computer B but not computer A to computer A? Huck Microsoft Outlook Contacts 1 17th Sep 2006 10:54 AM
computer account and application management strategy ILiya Microsoft Windows 2000 Setup 3 26th Jan 2005 02:49 PM
User Account Management /Password management???! Vince Microsoft Access Security 3 29th Sep 2003 08:52 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 02:10 PM.