Grant domain clients admin rights?

[minipower]

Hi,

I have on more problem - I want to give domain clients Administrator rights,
because
many programs dont run without administrator rights. I noticed strange
behaviour - to give
domain clients Administrator rights isnt sufficient for programs to work,
they want also
DomainAdministrator rights to work correctly, but I cant do this, I dont
want to give clients
so hard privileges. I only want to give clients all privileges locally, but
I dont want to give them
domain privileges. Can I do that? I need domain only for authentic purposes
for firewall.

m

 

[ptwilliams]

I'll try not to rant about crap programming with this...

You have a number of options here: you can head over to sysinternals.com
and download regmon and see what reg keys are being accessed and then grant
permissions to these keys. You can simply apply the compatws security
template: http://support.microsoft.com/?id=269259

Sometimes full control to \Program Files\programFolderName will suffice.
But generally one of the above is better.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi,

I have on more problem - I want to give domain clients Administrator rights,
because
many programs dont run without administrator rights. I noticed strange
behaviour - to give
domain clients Administrator rights isnt sufficient for programs to work,
they want also
DomainAdministrator rights to work correctly, but I cant do this, I dont
want to give clients
so hard privileges. I only want to give clients all privileges locally, but
I dont want to give them
domain privileges. Can I do that? I need domain only for authentic purposes
for firewall.

m

 

[Anthony Yates]

You have to know what rights your application requires. You can not give
domain admin rights to users just to use an application.
On the local machine it is not too hard. Generally the rights are:
* HKLM\Software\[your application]
* Program Files\[Your application]
* Winnt\[your ini file]
Just occasionally an application will refuse to work without local admin
rights, generally when it interacts with the hardware in some way, for
example Adobe Premier. If local admin rights are not enough, it must be
using data on the network, and your users need rights to that.
They never need domain admin rights to use an application.
Anthony

 

[Cary Shultz [A.D. MVP]]

Minipower,

As Paul and Anthony have suggested, there is a better way. When you grant
the domain user account object local Administrator rights there are a whole
bunch of things that can - and do!, believe that - go terribly wrong. I
always tell the same story where a user deleted almost all of the fonts from
the font folder ( or was it the entire fonts folder, I do not remember now )
so that he could make more room on his hard drive for music files! As a
member of the local Administrators group the users will have complete access
to that specific system. He/she will be able to go everywhere, see
everything and do everything. And believe me. There are always a few who
'know more than you' and will do a bunch of crapola. You will spend a lot
of time with these particular users.....

And Paul is correct about the 'crap programming'. Now, I am not a
programmer so I do not understand all of the complexities involved. I would
simply think that it must be possible! There are lots of programs that
install and work just well when the user is simply a member of the local
Users group.

I run into this all the time. The Help Desk or Product Support or whatever
each company calls it will usually start off by asking you, 'Are they
members of the local Administrators group?". I know that it is going to be
a long day when I hear this.....

Look into the sysinternals suggestion. It is a bit involved but is very
useful!

HTH,

Cary