Admin rights

G

Guest

We have an app here at work that will only run as a user with admin rights.
In 2k they could be a power user but not in xp. The developers here at work
do not want to listen and think that giving the user admin rights is the best
solution. I can think a more that a couple of reasons not to give all the
users local admin rights but that is a different post.

My question is other then scripting RunAs with VBscript to run the app is
there any way to give the users admin like rights for just that app. Like
with a GPO or regedit hack. If scripting is the only solution then how can I
encrypt the script so my password is not in clear text. Or if this is not the
right newsgroup let me know where to go
 
G

Galen

In newguy <[email protected]> had this to say:

My reply is at the bottom of your sent message:
We have an app here at work that will only run as a user with admin
rights. In 2k they could be a power user but not in xp. The
developers here at work do not want to listen and think that giving
the user admin rights is the best solution. I can think a more that a
couple of reasons not to give all the users local admin rights but
that is a different post.

My question is other then scripting RunAs with VBscript to run the
app is there any way to give the users admin like rights for just
that app. Like with a GPO or regedit hack. If scripting is the only
solution then how can I encrypt the script so my password is not in
clear text. Or if this is not the right newsgroup let me know where
to go
Click to expand...

Right click the application, select the "run as" option and set it to run
with the credentials of an administrator account which can be, if you
wanted, one setup specifically for this that the user doesn't have access
to. I don't know a way to do it with either GPO or reghack but this would
prevent the average user from getting the password as it wouldn't be in
plain text in the GUI nor in the registry.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes
 
S

Steve N.

newguy said:
We have an app here at work that will only run as a user with admin rights.
In 2k they could be a power user but not in xp. The developers here at work
do not want to listen and think that giving the user admin rights is the best
solution. I can think a more that a couple of reasons not to give all the
users local admin rights but that is a different post.

My question is other then scripting RunAs with VBscript to run the app is
there any way to give the users admin like rights for just that app. Like
with a GPO or regedit hack. If scripting is the only solution then how can I
encrypt the script so my password is not in clear text. Or if this is not the
right newsgroup let me know where to go
Click to expand...

Grant the Users group full access permission to that application's
folder. Right click on the folder, Properties and select Security tab,
select Users and then check mark Allow next to Full Control and click
Apply. If Security tab isn't there then you'll need to trun off Simple
File Sharing in Tools, Folder options, View, scoll all the way down and
uncheck it.

Steve
 
S

Steve N.

Galen said:
In newguy <[email protected]> had this to say:

My reply is at the bottom of your sent message:




Right click the application, select the "run as" option and set it to run
with the credentials of an administrator account which can be, if you
wanted, one setup specifically for this that the user doesn't have access
to. I don't know a way to do it with either GPO or reghack but this would
prevent the average user from getting the password as it wouldn't be in
plain text in the GUI nor in the registry.

Galen
Click to expand...

The way I read it he doesn't want to use Run As.

In most cases it is simply a matter of granting the Users group full
control for the application's folder. In some rarer cases they also need
Full Control of the Windows\Temp folder. In even rarer cases it won't
work no matter what you do, but since it worked in Win2K for Power Users
I doubt that would be the case.

Steve
 
B

Bruce Chambers

newguy said:
We have an app here at work that will only run as a user with admin rights.
In 2k they could be a power user but not in xp. The developers here at work
do not want to listen and think that giving the user admin rights is the best
solution. I can think a more that a couple of reasons not to give all the
users local admin rights but that is a different post.

My question is other then scripting RunAs with VBscript to run the app is
there any way to give the users admin like rights for just that app. Like
with a GPO or regedit hack. If scripting is the only solution then how can I
encrypt the script so my password is not in clear text. Or if this is not the
right newsgroup let me know where to go
Click to expand...


You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the installation routine for this application
doesn't "know" how to handle individual user profiles, or the
application tries to make changes to "off-limits" sections of the
registry or protected Windows system folders. Quite often, you can make
this software available to other users by _copying_ the Start Menu
folder and Desktop folder shortcuts from the user profile from which the
software was installed in the corresponding folders in the user
profile(s) in which you'd like the software to be accessible. If the
application is something that can/should be made available to all
current and future users, copying the shortcuts into the corresponding
locations of the All Users profile will do the trick.

For some obscure reason, game developers in particular seem to not
understand WinXP's file security paradigm, and require even limited
users to have unnecessarily high privileges to protected systems
folders. For example, saved games are often stored in a sub-folder
under the game's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

NOTE: This may not work if the software requires access to parts
of the hard drive and/or registry that are not normally accessible to
regular users. (This won't occur if the application was properly
written.) If this does prove to be the case, however, you're left with
two options: Either grant the necessary users appropriate higher access
privileges (either as Power Users or local administrators), or replace
the application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Galen

In Steve N. <[email protected]> had this to say:

My reply is at the bottom of your sent message:
The way I read it he doesn't want to use Run As.

In most cases it is simply a matter of granting the Users group full
control for the application's folder. In some rarer cases they also
need Full Control of the Windows\Temp folder. In even rarer cases it
won't work no matter what you do, but since it worked in Win2K for
Power Users I doubt that would be the case.

Steve
Click to expand...

Steve,

You're probably right about that. I figured that they might be just not want
to actually do the VBScript. When I re-read it I was able to see a bit more
clearly methinks. Now that I think about it, and thank you for that, the
idea of setting the folder permissions might be a better general work around
for use when people ask about apps that they can't get running in a second
acount for instance. I'll have to play around with that. There's a lot that
can be done with proper configuration of permissions, much more than I'd
ever thought about when I was first playing with 2k for instance, though the
security tab isn't there by default with Simple File Sharing enabled...
Hmm... Tough one to decide about for home users now that I think about it...
I'll play with that idea for a couple of days and see what I'm able to come
up with. Describing how to disable Simple File Sharing in a manner that's
easily understood could be a bit of a problem.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes
 
S

Steve N.

Galen said:
In Steve N. <[email protected]> had this to say:

My reply is at the bottom of your sent message:




Steve,

You're probably right about that. I figured that they might be just not want
to actually do the VBScript. When I re-read it I was able to see a bit more
clearly methinks. Now that I think about it, and thank you for that, the
idea of setting the folder permissions might be a better general work around
for use when people ask about apps that they can't get running in a second
acount for instance. I'll have to play around with that. There's a lot that
can be done with proper configuration of permissions, much more than I'd
ever thought about when I was first playing with 2k for instance, though the
security tab isn't there by default with Simple File Sharing enabled...
Hmm... Tough one to decide about for home users now that I think about it...
I'll play with that idea for a couple of days and see what I'm able to come
up with. Describing how to disable Simple File Sharing in a manner that's
easily understood could be a bit of a problem.

Galen
Click to expand...

For Home Edition you have to boot to Safe Mode to get the Security tab
on folders.

Steve
 
G

Galen

In Steve N. <[email protected]> had this to say:

My reply is at the bottom of your sent message:
For Home Edition you have to boot to Safe Mode to get the Security tab
on folders.

Steve
Click to expand...

Yip, which means in order to describing it to the "average" user could be a
bit of a problem. We'd have to then add that to each description for using
permissions to access applications which were written poorly.

"Reboot, pound the snot out of the F8 key (except in a few rare OEM
situations where they've mapped F8 to something like a restoration process
or recovery agent, in that case it's probably F5 or should be inside your
manual -- if you even really got a manual with your PC that is) over and
over again."

I suppose then I'd have to get into telling them to make sure that they used
safe mode without networking and why they should do so. I'd probably really
have to tell them that the F8 key really needs to be pressed after the POST
(and explain that to them) and before the loading of the OS (and explain
that to them) and then they'll be mad because I made it too difficult.

Bah, I knew there was a reason I hadn't explored this further! <g>

Some people think the average user is not very good with computers, this is
generally true otherwise they wouldn't be average. I was reading something
the other day, I don't recall where, that put it into perspective. They may
very well be at the top of their field, and often are, though they're just
not computer savy enough to fix the problems or versed well enough in the
internet to research their problems. Hmm... Now that I think about it, I
think it was in one of the DTS lists that the above was put forth though I
don't recall who's idea it was.

That's wandering a bit away from the point of my thoughts on this though as
my original thought was that it would be fun explaining this to an average
user who's using XP Home. Were I a bit more gifted with the Enlish language,
I can't even spell really, I'd probably be able to do such a thing. Maybe
it's time to make a nice simple page describing it for Home Edition users?
I'll put it on my to-do list.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes
 
G

Guest

Steve N. said:
The way I read it he doesn't want to use Run As.

In most cases it is simply a matter of granting the Users group full
control for the application's folder. In some rarer cases they also need
Full Control of the Windows\Temp folder. In even rarer cases it won't
work no matter what you do, but since it worked in Win2K for Power Users
I doubt that would be the case.

Steve
Click to expand...

Sorry it took so long to post back but the user that had this problem went
on vacation. He is coming back today so I will know for sure if your solution
worked. I tested it with his account as a Power User and it worked but I do
not use that app so I am not sure if is fully functional. I think it will be
fine. Thanks for your help as well as other people the replied to my post
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Send to Compressed Folder missing for limited users on XP Pro 2
XP local NTFS permissions 3
lost admin rights 2
Admin User Deleted 2
List of what I can't do with Admin Rights 6
scheduling a backup 7
USB flash drives require Admin rights 6
admin rights 2

Top