Limit administrators permissions

Hi,

In our company all users on XP are local administrators on
their workstations to allow all the legacy apps to
function.

I would like to restrict the administrators group rights
on the workstation and more importantly prevent users from
accessing other users local profiles in Documents and
Settings. How would I go about doing that?

Any help would be greatly appreciated.

Thanks.
Evan

Not sure you can. Anything you do to lock them down would have to be done as
administrator. They have administrator rights to the computer and they can
reverse what ever you just did.

You might try this link to see if the app will work when logged in as a user
instead of admin:
http://www.microsoft.com/windowsxp/...more/tips/danie
ls1.mspx

You might also see if they make a version compatible with XP.


hth
DDS W 2k MVP MCSE

"Evan" <anonymous@discussions.microsoft.com> wrote in message
news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
> Hi,
>
> In our company all users on XP are local administrators on
> their workstations to allow all the legacy apps to
> function.
>
> I would like to restrict the administrators group rights
> on the workstation and more importantly prevent users from
> accessing other users local profiles in Documents and
> Settings. How would I go about doing that?
>
> Any help would be greatly appreciated.
>
> Thanks.
> Evan

One of the main applications that we have on the XP SP2
image is Hummingbird DM 5 and it needs the user to be
local admin, otherwise it does not install the Office
2003 integration bits. It writes to HKLM etc etc. Bad app
but we have no choice. So that's why we need users to have
local administrator access. Believe me, we tried have it
the other way but it delayed our project to much.

I would expect users not to know how to give themselve the
rights again. So if you have any ideas on how to do it I
would greatly appreciate them.

Thanks
Evan

>-----Original Message-----
>Not sure you can. Anything you do to lock them down would
have to be done as
>administrator. They have administrator rights to the
computer and they can
>reverse what ever you just did.
>
>You might try this link to see if the app will work when
logged in as a user
>instead of admin:
>http://www.microsoft.com/windowsxp/...lpandsupport/le
arnmore/tips/danie
>ls1.mspx
>
>You might also see if they make a version compatible with
XP.
>
>
>hth
>DDS W 2k MVP MCSE
>
>"Evan" <anonymous@discussions.microsoft.com> wrote in
message
>news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
>> Hi,
>>
>> In our company all users on XP are local administrators
on
>> their workstations to allow all the legacy apps to
>> function.
>>
>> I would like to restrict the administrators group rights
>> on the workstation and more importantly prevent users
from
>> accessing other users local profiles in Documents and
>> Settings. How would I go about doing that?
>>
>> Any help would be greatly appreciated.
>>
>> Thanks.
>> Evan
>
>
>.
>

Evan wrote:
> One of the main applications that we have on the XP SP2
> image is Hummingbird DM 5 and it needs the user to be
> local admin, otherwise it does not install the Office
> 2003 integration bits.

You say install, but do you mean every single time you run it it needs to
install something? If not, why not temporarily grant the user local admin
rights, install what's needed, and revoke rights?

Does the app developer have a new version or workaround? I would complain up
a storm about this - it's simply bad programming.

> It writes to HKLM etc etc.

Can't you change the permissions on the keys?
Have you tried FileMon and RegMon from www.sysinternals.com?

> Bad app
> but we have no choice. So that's why we need users to have
> local administrator access. Believe me, we tried have it
> the other way but it delayed our project to much.
>
> I would expect users not to know how to give themselve the
> rights again. So if you have any ideas on how to do it I
> would greatly appreciate them.

You cannot expect to limit an administrator, really.
>
> Thanks
> Evan
>
>> -----Original Message-----
>> Not sure you can. Anything you do to lock them down would have to be
>> done as administrator. They have administrator rights to the
>> computer and they can reverse what ever you just did.
>>
>> You might try this link to see if the app will work when logged in
>> as a user instead of admin:
>> http://www.microsoft.com/windowsxp/...lpandsupport/le
>> arnmore/tips/danie ls1.mspx
>>
>> You might also see if they make a version compatible with XP.
>>
>>
>> hth
>> DDS W 2k MVP MCSE
>>
>> "Evan" <anonymous@discussions.microsoft.com> wrote in message
>> news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
>>> Hi,
>>>
>>> In our company all users on XP are local administrators on
>>> their workstations to allow all the legacy apps to
>>> function.
>>>
>>> I would like to restrict the administrators group rights
>>> on the workstation and more importantly prevent users from
>>> accessing other users local profiles in Documents and
>>> Settings. How would I go about doing that?
>>>
>>> Any help would be greatly appreciated.
>>>
>>> Thanks.
>>> Evan
>>
>>
>> .

> One of the main applications that we have on the XP SP2
> image is Hummingbird DM 5 and it needs the user to be
> local admin, otherwise it does not install the Office
> 2003 integration bits.


I'm not the least bit familiar with Hummingbird 5, but from the above
statement I wonder if one could set the user up as admin for the install and
first run of the app, then remove the user form the admin group. Would the
program run fine for them then? Or does the Office part get installed each
time the program starts?

If not I think your best bet would be to contact the maker of the app. There
is not much you can do to lock down the admin of the computer.

hth
DDS W 2k MVP MCSE

"Evan" <anonymous@discussions.microsoft.com> wrote in message
news:09e001c4d897$addefd30$a601280a@phx.gbl...
> One of the main applications that we have on the XP SP2
> image is Hummingbird DM 5 and it needs the user to be
> local admin, otherwise it does not install the Office
> 2003 integration bits. It writes to HKLM etc etc. Bad app
> but we have no choice. So that's why we need users to have
> local administrator access. Believe me, we tried have it
> the other way but it delayed our project to much.
>
> I would expect users not to know how to give themselve the
> rights again. So if you have any ideas on how to do it I
> would greatly appreciate them.
>
> Thanks
> Evan
>
> >-----Original Message-----
> >Not sure you can. Anything you do to lock them down would
> have to be done as
> >administrator. They have administrator rights to the
> computer and they can
> >reverse what ever you just did.
> >
> >You might try this link to see if the app will work when
> logged in as a user
> >instead of admin:
> >http://www.microsoft.com/windowsxp/...lpandsupport/le
> arnmore/tips/danie
> >ls1.mspx
> >
> >You might also see if they make a version compatible with
> XP.
> >
> >
> >hth
> >DDS W 2k MVP MCSE
> >
> >"Evan" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
> >> Hi,
> >>
> >> In our company all users on XP are local administrators
> on
> >> their workstations to allow all the legacy apps to
> >> function.
> >>
> >> I would like to restrict the administrators group rights
> >> on the workstation and more importantly prevent users
> from
> >> accessing other users local profiles in Documents and
> >> Settings. How would I go about doing that?
> >>
> >> Any help would be greatly appreciated.
> >>
> >> Thanks.
> >> Evan
> >
> >
> >.
> >

We had then onsite. It can't be done.

All I want to do is remove the administrators group's ability to view
everyones profile in documents and settings. The rest of the workstation we
are locking down with AD group policies.

Here's my thinking:

Remove the administrators group from the documents and settings folder
permissions.
Add authenticated users and then change the permissions so that domain users
can login, their profile get's created and they can see their own docs ands
stuff but cannot access everyone elses.




"Danny Sanders" wrote:

> > One of the main applications that we have on the XP SP2
> > image is Hummingbird DM 5 and it needs the user to be
> > local admin, otherwise it does not install the Office
> > 2003 integration bits.
>
>
> I'm not the least bit familiar with Hummingbird 5, but from the above
> statement I wonder if one could set the user up as admin for the install and
> first run of the app, then remove the user form the admin group. Would the
> program run fine for them then? Or does the Office part get installed each
> time the program starts?
>
> If not I think your best bet would be to contact the maker of the app. There
> is not much you can do to lock down the admin of the computer.
>
> hth
> DDS W 2k MVP MCSE
>
> "Evan" <anonymous@discussions.microsoft.com> wrote in message
> news:09e001c4d897$addefd30$a601280a@phx.gbl...
> > One of the main applications that we have on the XP SP2
> > image is Hummingbird DM 5 and it needs the user to be
> > local admin, otherwise it does not install the Office
> > 2003 integration bits. It writes to HKLM etc etc. Bad app
> > but we have no choice. So that's why we need users to have
> > local administrator access. Believe me, we tried have it
> > the other way but it delayed our project to much.
> >
> > I would expect users not to know how to give themselve the
> > rights again. So if you have any ideas on how to do it I
> > would greatly appreciate them.
> >
> > Thanks
> > Evan
> >
> > >-----Original Message-----
> > >Not sure you can. Anything you do to lock them down would
> > have to be done as
> > >administrator. They have administrator rights to the
> > computer and they can
> > >reverse what ever you just did.
> > >
> > >You might try this link to see if the app will work when
> > logged in as a user
> > >instead of admin:
> > >http://www.microsoft.com/windowsxp/...lpandsupport/le
> > arnmore/tips/danie
> > >ls1.mspx
> > >
> > >You might also see if they make a version compatible with
> > XP.
> > >
> > >
> > >hth
> > >DDS W 2k MVP MCSE
> > >
> > >"Evan" <anonymous@discussions.microsoft.com> wrote in
> > message
> > >news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
> > >> Hi,
> > >>
> > >> In our company all users on XP are local administrators
> > on
> > >> their workstations to allow all the legacy apps to
> > >> function.
> > >>
> > >> I would like to restrict the administrators group rights
> > >> on the workstation and more importantly prevent users
> > from
> > >> accessing other users local profiles in Documents and
> > >> Settings. How would I go about doing that?
> > >>
> > >> Any help would be greatly appreciated.
> > >>
> > >> Thanks.
> > >> Evan
> > >
> > >
> > >.
> > >
>
>
>

> Remove the administrators group from the documents and settings folder
> permissions.


This would not be a solution if it did work, they could just add themselves
back. The problem is with the bad application that forces you to put users
in the admin group not the OS.

hth
DDS W 2k MVP MCSE

"Evan" <Evan@discussions.microsoft.com> wrote in message
news:62F30CB1-3332-4B58-9575-7CE58A8BD153@microsoft.com...
> We had then onsite. It can't be done.
>
> All I want to do is remove the administrators group's ability to view
> everyones profile in documents and settings. The rest of the workstation
we
> are locking down with AD group policies.
>
> Here's my thinking:
>
> Remove the administrators group from the documents and settings folder
> permissions.
> Add authenticated users and then change the permissions so that domain
users
> can login, their profile get's created and they can see their own docs
ands
> stuff but cannot access everyone elses.
>
>
>
>
> "Danny Sanders" wrote:
>
> > > One of the main applications that we have on the XP SP2
> > > image is Hummingbird DM 5 and it needs the user to be
> > > local admin, otherwise it does not install the Office
> > > 2003 integration bits.
> >
> >
> > I'm not the least bit familiar with Hummingbird 5, but from the above
> > statement I wonder if one could set the user up as admin for the install
and
> > first run of the app, then remove the user form the admin group. Would
the
> > program run fine for them then? Or does the Office part get installed
each
> > time the program starts?
> >
> > If not I think your best bet would be to contact the maker of the app.
There
> > is not much you can do to lock down the admin of the computer.
> >
> > hth
> > DDS W 2k MVP MCSE
> >
> > "Evan" <anonymous@discussions.microsoft.com> wrote in message
> > news:09e001c4d897$addefd30$a601280a@phx.gbl...
> > > One of the main applications that we have on the XP SP2
> > > image is Hummingbird DM 5 and it needs the user to be
> > > local admin, otherwise it does not install the Office
> > > 2003 integration bits. It writes to HKLM etc etc. Bad app
> > > but we have no choice. So that's why we need users to have
> > > local administrator access. Believe me, we tried have it
> > > the other way but it delayed our project to much.
> > >
> > > I would expect users not to know how to give themselve the
> > > rights again. So if you have any ideas on how to do it I
> > > would greatly appreciate them.
> > >
> > > Thanks
> > > Evan
> > >
> > > >-----Original Message-----
> > > >Not sure you can. Anything you do to lock them down would
> > > have to be done as
> > > >administrator. They have administrator rights to the
> > > computer and they can
> > > >reverse what ever you just did.
> > > >
> > > >You might try this link to see if the app will work when
> > > logged in as a user
> > > >instead of admin:
> > > >http://www.microsoft.com/windowsxp/...lpandsupport/le
> > > arnmore/tips/danie
> > > >ls1.mspx
> > > >
> > > >You might also see if they make a version compatible with
> > > XP.
> > > >
> > > >
> > > >hth
> > > >DDS W 2k MVP MCSE
> > > >
> > > >"Evan" <anonymous@discussions.microsoft.com> wrote in
> > > message
> > > >news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
> > > >> Hi,
> > > >>
> > > >> In our company all users on XP are local administrators
> > > on
> > > >> their workstations to allow all the legacy apps to
> > > >> function.
> > > >>
> > > >> I would like to restrict the administrators group rights
> > > >> on the workstation and more importantly prevent users
> > > from
> > > >> accessing other users local profiles in Documents and
> > > >> Settings. How would I go about doing that?
> > > >>
> > > >> Any help would be greatly appreciated.
> > > >>
> > > >> Thanks.
> > > >> Evan
> > > >
> > > >
> > > >.
> > > >
> >
> >
> >

All I want to do is remove the administrators security group's ability to view
everyones profile in documents and settings.

"Lanwench [MVP - Exchange]" wrote:

> Evan wrote:
> > One of the main applications that we have on the XP SP2
> > image is Hummingbird DM 5 and it needs the user to be
> > local admin, otherwise it does not install the Office
> > 2003 integration bits.
>
> You say install, but do you mean every single time you run it it needs to
> install something? If not, why not temporarily grant the user local admin
> rights, install what's needed, and revoke rights?
>
> Does the app developer have a new version or workaround? I would complain up
> a storm about this - it's simply bad programming.
>
> > It writes to HKLM etc etc.
>
> Can't you change the permissions on the keys?
> Have you tried FileMon and RegMon from www.sysinternals.com?
>
> > Bad app
> > but we have no choice. So that's why we need users to have
> > local administrator access. Believe me, we tried have it
> > the other way but it delayed our project to much.
> >
> > I would expect users not to know how to give themselve the
> > rights again. So if you have any ideas on how to do it I
> > would greatly appreciate them.
>
> You cannot expect to limit an administrator, really.
> >
> > Thanks
> > Evan
> >
> >> -----Original Message-----
> >> Not sure you can. Anything you do to lock them down would have to be
> >> done as administrator. They have administrator rights to the
> >> computer and they can reverse what ever you just did.
> >>
> >> You might try this link to see if the app will work when logged in
> >> as a user instead of admin:
> >> http://www.microsoft.com/windowsxp/...lpandsupport/le
> >> arnmore/tips/danie ls1.mspx
> >>
> >> You might also see if they make a version compatible with XP.
> >>
> >>
> >> hth
> >> DDS W 2k MVP MCSE
> >>
> >> "Evan" <anonymous@discussions.microsoft.com> wrote in message
> >> news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
> >>> Hi,
> >>>
> >>> In our company all users on XP are local administrators on
> >>> their workstations to allow all the legacy apps to
> >>> function.
> >>>
> >>> I would like to restrict the administrators group rights
> >>> on the workstation and more importantly prevent users from
> >>> accessing other users local profiles in Documents and
> >>> Settings. How would I go about doing that?
> >>>
> >>> Any help would be greatly appreciated.
> >>>
> >>> Thanks.
> >>> Evan
> >>
> >>
> >> .
>
>
>

You might want to try this. It can always be un-done by the other
administrator but they would need to be pretty sophisticated users.

1 Remove the administrators group from the documents and settings folder
security.
Then
2 Use Group Policy to remove the Security Tab

Click on Start button, then Run and type "gpedit.msc", without the quotes.
Click on User Configuration/Administrative Templates/Widows
Components/Windows Explorer then click on Remove Security Tab and then click
Enable

Good Luck,
Mike



"Danny Sanders" <Danny.Sanders@NO-SPAMcpcmed.org> wrote in message
news:u7TPyFK2EHA.1144@TK2MSFTNGP09.phx.gbl...
>> Remove the administrators group from the documents and settings folder
>> permissions.
>
>
> This would not be a solution if it did work, they could just add
> themselves
> back. The problem is with the bad application that forces you to put users
> in the admin group not the OS.
>
> hth
> DDS W 2k MVP MCSE
>
> "Evan" <Evan@discussions.microsoft.com> wrote in message
> news:62F30CB1-3332-4B58-9575-7CE58A8BD153@microsoft.com...
>> We had then onsite. It can't be done.
>>
>> All I want to do is remove the administrators group's ability to view
>> everyones profile in documents and settings. The rest of the workstation
> we
>> are locking down with AD group policies.
>>
>> Here's my thinking:
>>
>> Remove the administrators group from the documents and settings folder
>> permissions.
>> Add authenticated users and then change the permissions so that domain
> users
>> can login, their profile get's created and they can see their own docs
> ands
>> stuff but cannot access everyone elses.
>>
>>
>>
>>
>> "Danny Sanders" wrote:
>>
>> > > One of the main applications that we have on the XP SP2
>> > > image is Hummingbird DM 5 and it needs the user to be
>> > > local admin, otherwise it does not install the Office
>> > > 2003 integration bits.
>> >
>> >
>> > I'm not the least bit familiar with Hummingbird 5, but from the above
>> > statement I wonder if one could set the user up as admin for the
>> > install
> and
>> > first run of the app, then remove the user form the admin group. Would
> the
>> > program run fine for them then? Or does the Office part get installed
> each
>> > time the program starts?
>> >
>> > If not I think your best bet would be to contact the maker of the app.
> There
>> > is not much you can do to lock down the admin of the computer.
>> >
>> > hth
>> > DDS W 2k MVP MCSE
>> >
>> > "Evan" <anonymous@discussions.microsoft.com> wrote in message
>> > news:09e001c4d897$addefd30$a601280a@phx.gbl...
>> > > One of the main applications that we have on the XP SP2
>> > > image is Hummingbird DM 5 and it needs the user to be
>> > > local admin, otherwise it does not install the Office
>> > > 2003 integration bits. It writes to HKLM etc etc. Bad app
>> > > but we have no choice. So that's why we need users to have
>> > > local administrator access. Believe me, we tried have it
>> > > the other way but it delayed our project to much.
>> > >
>> > > I would expect users not to know how to give themselve the
>> > > rights again. So if you have any ideas on how to do it I
>> > > would greatly appreciate them.
>> > >
>> > > Thanks
>> > > Evan
>> > >
>> > > >-----Original Message-----
>> > > >Not sure you can. Anything you do to lock them down would
>> > > have to be done as
>> > > >administrator. They have administrator rights to the
>> > > computer and they can
>> > > >reverse what ever you just did.
>> > > >
>> > > >You might try this link to see if the app will work when
>> > > logged in as a user
>> > > >instead of admin:
>> > > >http://www.microsoft.com/windowsxp/...lpandsupport/le
>> > > arnmore/tips/danie
>> > > >ls1.mspx
>> > > >
>> > > >You might also see if they make a version compatible with
>> > > XP.
>> > > >
>> > > >
>> > > >hth
>> > > >DDS W 2k MVP MCSE
>> > > >
>> > > >"Evan" <anonymous@discussions.microsoft.com> wrote in
>> > > message
>> > > >news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
>> > > >> Hi,
>> > > >>
>> > > >> In our company all users on XP are local administrators
>> > > on
>> > > >> their workstations to allow all the legacy apps to
>> > > >> function.
>> > > >>
>> > > >> I would like to restrict the administrators group rights
>> > > >> on the workstation and more importantly prevent users
>> > > from
>> > > >> accessing other users local profiles in Documents and
>> > > >> Settings. How would I go about doing that?
>> > > >>
>> > > >> Any help would be greatly appreciated.
>> > > >>
>> > > >> Thanks.
>> > > >> Evan
>> > > >
>> > > >
>> > > >.
>> > > >
>> >
>> >
>> >
>
>

"Evan" <anonymous@discussions.microsoft.com> wrote in message
news:09e001c4d897$addefd30$a601280a@phx.gbl...
> One of the main applications that we have on the XP SP2
> image is Hummingbird DM 5 and it needs the user to be
> local admin, otherwise it does not install the Office
> 2003 integration bits. It writes to HKLM etc etc. Bad app
> but we have no choice. So that's why we need users to have
> local administrator access. Believe me, we tried have it
> the other way but it delayed our project to much.
>
> I would expect users not to know how to give themselve the
> rights again. So if you have any ideas on how to do it I
> would greatly appreciate them.
>
> Thanks
> Evan
>

Evan, the tipical solution to fix such applications is to use filemon/regmon
to determine where the app reads/writes and change the ACLs but it looks
that you have already tied the path.

I'm jumping into the thread because we do have a solution -- not free -- but
a solution nonetheless. Our company sells a solution that would allow you to
remove the users from the local admins group and elevate the privileges only
for the Hummingbird DM application. If interested to give NeoExec/AD a go
the check it out on www.neovalens.com

cheers,
Marco

marco [alla] neovalens [punto] com