In the pursuit of security and limiting the needless right's of users, I am
investigating what kind of local permissions are needed by my Windows XP
users. Currently all users have local Administrator rights to their PC's.

If anyone aware of a tool or simple method that can determine if users need
local administrator rights? For example, a tool that will notify you if the
application made a change to the registry or wrote to program files in a way
that only administrators can do? My users span several different networks
and the applications are all accross the board.

My last resort is to call the vendors of the applications being used, but
this will be quite a burden. If anyone has any ideas to better anyalyze
this, please let me know.

Thank you!

Mike Chavez wrote:
> In the pursuit of security and limiting the needless right's of
> users, I am investigating what kind of local permissions are needed
> by my Windows XP users. Currently all users have local
> Administrator rights to their PC's.
> If anyone aware of a tool or simple method that can determine if
> users need local administrator rights? For example, a tool that
> will notify you if the application made a change to the registry or
> wrote to program files in a way that only administrators can do? My users
> span several different networks and the applications are
> all accross the board.
> My last resort is to call the vendors of the applications being
> used, but this will be quite a burden. If anyone has any ideas to
> better anyalyze this, please let me know.

They don't _need_ administrative rights.

You can use filemon and regmon to determine what an application does all the
time. However - for most applications, it may need rights to its own folder
or its own registry values (or the user's folders/registry values) - but any
well-written modern Windows application should not need administrative
rights to run.

The exceptions are few and far between.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Hello Shenan,

Thank you for taking the time to reply. I will look into the filemon/regmon
apps.

Regards,

Mike Chavez

"Shenan Stanley" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Mike Chavez wrote:
>> In the pursuit of security and limiting the needless right's of
>> users, I am investigating what kind of local permissions are needed
>> by my Windows XP users. Currently all users have local
>> Administrator rights to their PC's.
>> If anyone aware of a tool or simple method that can determine if
>> users need local administrator rights? For example, a tool that
>> will notify you if the application made a change to the registry or
>> wrote to program files in a way that only administrators can do? My users
>> span several different networks and the applications are
>> all accross the board.
>> My last resort is to call the vendors of the applications being
>> used, but this will be quite a burden. If anyone has any ideas to
>> better anyalyze this, please let me know.
>
> They don't _need_ administrative rights.
>
> You can use filemon and regmon to determine what an application does all
> the time. However - for most applications, it may need rights to its own
> folder or its own registry values (or the user's folders/registry
> values) - but any well-written modern Windows application should not need
> administrative rights to run.
>
> The exceptions are few and far between.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>