Limited User program permissions

[Dave]

I am new to Xp pro. I would like to give a limited user permission to run a
program that can write to the directory where the hosts file is. The best I
have been able to do is set it up so that the user has to enter the
administrator password.

Is there anything I can do to set permissions to allow this program to run
without the user needing to enter a password?

Thanks.

 

[Shenan Stanley]

I am new to Xp pro. I would like to give a limited user permission
to run a program that can write to the directory where the hosts
file is. The best I have been able to do is set it up so that the
user has to enter the administrator password.

Is there anything I can do to set permissions to allow this program
to run without the user needing to enter a password?

Change the appropriate file/folder/registry permissions for the applications
so the user has rights to the programs's given files/folders/registry...

 

[Bruce Chambers]

I am new to Xp pro. I would like to give a limited user permission to run a
program that can write to the directory where the hosts file is. The best I
have been able to do is set it up so that the user has to enter the
administrator password.

Is there anything I can do to set permissions to allow this program to run
without the user needing to enter a password?

Thanks.

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving settings
on limited accounts, you may need to change permissions on the registry
keys. Run regedit.exe and go to HKLM\Software\vendor\app, where
"vendor\app" is the key that the software vendor used for your specific
program. Change the permissions on this key to allow Users full control."


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Dave]

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

This is an old application; may have been written before XP. I was able to
accomplish what I wished, that is, allow a limited user to edit the hosts
file by running the command you indicated on the hosts file itself. I
substituted 'users' with the name of the limited account.

Thanks. But please see below.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts of
the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators),

Again, being new to XP, I do not know how to give a user power user rights
or what this actually accomplishes. To be more clear, I have added limited
users to the Power Users group in under Computer Management. This does not
seem to accomplish anything. I am also confused as to why I only have two
options when setting up an account thru control panel/Users. It's either
limited or computer administrator. It seems like I should have that option
for Power User. I have looked around as best I can to find this info but
have been unsuccessful.


explicitly grant normal users elevated privileges to

the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which is
the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

Yes, as stated above, this worked when I ran it on the hosts file itself.
Thanks.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

I have not tried this yet but expect it to work. I am wondering if you
think I could run into any problem if a limited user (who is actually me)
has write access to the hosts file. As a user, I am unlikely to do
something that is a security risk. I do not get viruses and I have been
succesful in keeping all types of malware off my systems which until this
time consisted only of Win98se and WinMe.

If you still have a problem with running the program or saving settings on
limited accounts, you may need to change permissions on the registry keys.
Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is
the key that the software vendor used for your specific program. Change
the permissions on this key to allow Users full control."

Perhaps this is where the original problem lies. The program itself is
no-install. Just drop it where you want it and run it. I do not find it in
under this registry key probably because it is no-install. Am I right?

 

[Dave]

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

This is an old application; may have been written before XP. I was able to
accomplish what I wished, that is, allow a limited user to edit the hosts
file by running the command you indicated on the hosts file itself. I
substituted 'users' with the name of the limited account.

Thanks. But please see below.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts of
the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators),

Again, being new to XP, I do not know how to give a user power user rights
or what this actually accomplishes. To be more clear, I have added limited
users to the Power Users group in under Computer Management. This does not
seem to accomplish anything. I am also confused as to why I only have two
options when setting up an account thru control panel/Users. It's either
limited or computer administrator. It seems like I should have that option
for Power User. I have looked around as best I can to find this info but
have been unsuccessful.


explicitly grant normal users elevated privileges to

the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which is
the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

Yes, as stated above, this worked when I ran it on the hosts file itself.
Thanks.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

I have not tried this yet but expect it to work. I am wondering if you
think I could run into any problem if a limited user (who is actually me)
has write access to the hosts file. As a user, I am unlikely to do
something that is a security risk. I do not get viruses and I have been
succesful in keeping all types of malware off my systems which until this
time consisted only of Win98se and WinMe.

If you still have a problem with running the program or saving settings on
limited accounts, you may need to change permissions on the registry keys.
Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is
the key that the software vendor used for your specific program. Change
the permissions on this key to allow Users full control."

Perhaps this is where the original problem lies. The program itself is
no-install. Just drop it where you want it and run it. I do not find it in
under this registry key probably because it is no-install. Am I right?

 

[Bruce Chambers]

This is an old application; may have been written before XP. I was able to
accomplish what I wished, that is, allow a limited user to edit the hosts
file by running the command you indicated on the hosts file itself. I
substituted 'users' with the name of the limited account.

Thanks. But please see below.

Again, being new to XP, I do not know how to give a user power user rights
or what this actually accomplishes. To be more clear, I have added limited
users to the Power Users group in under Computer Management. This does not
seem to accomplish anything.

The Power Users group doesn't make a great deal of difference when
running applications. It mostly allows memebers to install device
drivers, like a new printer, or to create shares.

I am also confused as to why I only have two
options when setting up an account thru control panel/Users. It's either
limited or computer administrator. It seems like I should have that option
for Power User. I have looked around as best I can to find this info but
have been unsuccessful.

That's by design, in WinXP. Microsoft is moving their securoity model
away from the need for the Power Users, so they "hid" the group to
discourage it's use.

I have not tried this yet but expect it to work. I am wondering if you
think I could run into any problem if a limited user (who is actually me)
has write access to the hosts file. As a user, I am unlikely to do
something that is a security risk. I do not get viruses and I have been
succesful in keeping all types of malware off my systems which until this
time consisted only of Win98se and WinMe.

The hosts file is a prime target for some types of malware, so there is
an elevated risk when you weaken its security in this manner. It would
be the equivalent of your operating with administrative privileges.
Just how severe the risk depends upon your computing/browsing habits and
other precautions you have in place.

Perhaps this is where the original problem lies. The program itself is
no-install. Just drop it where you want it and run it. I do not find it in
under this registry key probably because it is no-install. Am I right?

It sounds like it, yes. If there was no installation routine, there
wouldn't be anything in the registry.


--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Many people would rather die than think; in fact, most do. -Bertrand Russell

 

[Dave]

The Power Users group doesn't make a great deal of difference when running
applications. It mostly allows memebers to install device drivers, like a
new printer, or to create shares.



That's by design, in WinXP. Microsoft is moving their securoity model
away from the need for the Power Users, so they "hid" the group to
discourage it's use.



The hosts file is a prime target for some types of malware, so there is an
elevated risk when you weaken its security in this manner. It would be
the equivalent of your operating with administrative privileges. Just how
severe the risk depends upon your computing/browsing habits and other
precautions you have in place.



It sounds like it, yes. If there was no installation routine, there
wouldn't be anything in the registry.

Thank you for all that info. I have been busy trying to understand XP. I
guess I'm getting there slowly.