Allow Registry Access but NOT install programs

[Andrew]

I have a user logged into a Win2k domain. They have a program that needs to
access the registry when it is launched. Unfortunately the only workaround
is to grant admin or power user rights. neither of which I want to give
because they have a bad habit of installing programs like AIM and snood. How
to I let this one program access the registry without letting them install
programs?

 

[Charlyoz]

Andrew,

You could allow access to a specific registry key used by the application:
Registry permissions can be set using a number of tools.
The default avialable is regedt32 (Start -> Run -> regedt32 -> Security ->
Permissions) or you can try subinacl available from Microsoft.
Have a look at: http://support.microsoft.com/?kbid=288129 for a similar
example.

Hope this helps.

CharlyOz.

 

[Walter Schulz]

I have a user logged into a Win2k domain. They have a program that needs to

access the registry when it is launched. Unfortunately the only workaround
is to grant admin or power user rights. neither of which I want to give
because they have a bad habit of installing programs like AIM and snood. How
to I let this one program access the registry without letting them install
programs?

As CharlyOz said: Use REGEDT32 to apply registry permission. In most
cases you need to add some NTFS-permissions for the %Programfiles%
directory.

This is the procedure we're using to find out which settings are
needed.
REGMON and FILEMON are tools downloadable at www.sysinternals.com.
The tools doesn't need to be installed, just expand it in a temp
directory on the client (C:\temp).
The application is installed and runs fine under administrative
accounts.
Log in as domain user. Run "runas /user:dom\administrator cmd"
In the command line interface poping up start c:\temp\regmon and
C:\temp\filemon.
Open the application from the menu or explorer (under user rights)
Now switch to the monitoring tools, stop the scanning itself and
search for ACCDENIED in regmon screen and ACCESS DENIED in filemon.
There is a highlight option in the menu which comes handy because the
logs grows very, very fast sometimes.
Ignore the obligatory access errors to a media and security subkey.
For the ACCDENIED keys in regmon (recommended to change before going
to filemon) you have to open REGEDT32 from the command line and follow
the description CharlyOz pointed to.
Then clear up the regmon log, start scan process and run the
application again. You may have to redo this one several times until
no ACCDENIED item related to the app will be shown.

Then you can switch to filemon and have a look on the file
permissions. Some apps still using INI files located in %ProgramFiles%
to store user settings. Or even better: INI files located in %WINDIR%
(%SYSTEMROOT%). To change this I usually access \\client\c$ over the
network using a second client logged in with dom admin rights.

In some perverted cases you may need to use GPOs to set permissions to
INIs in %SYSTEMROOT%. Some apps insists to change files by deleting
the file and recreating in after. Result: File permissions given once
by SUBINACL are lost.

If the client is runnig fine you have done the first part. Document it
well!

To prevent going mad changing several clients you may want use a batch
with SUBINACL or a GPO. Using SUBINACL inside a computer logon script
(*not* in a user logon script) is possible.

Further questions?

Ciao, Walter