allow users to run application

[Guest]

I have a bunch of application that needs admin rights to run. They will be
installed locally to the user PC is their away I can create a policy to allow
the domain user to run these programs without giving them admin rights to the
PC?

It would be great to have a domain wide policy but we could do local policy
if need be. I realy don't want to have them do a run as.

It is a xp on 2003 enviroment.

Thank you for any help.

 

[Andrew Mitchell]

I have a bunch of application that needs admin rights to run. They will
be installed locally to the user PC is their away I can create a policy
to allow the domain user to run these programs without giving them admin
rights to the PC?

Use regmon and filemon from www.sysinternals.com when the app is running
under a normal user account to find out what the app is trying to access that
is being denied.
You can then use a combination of file/folder permissions (set via a startup
script assigned through a GPO) and registry permissions (set directly via a
GPO) to allow the applicatin to run.

 

[Steven L Umbach]

Andrew gives great advice on tracking down permissions problems. Usually you
will find users denied access to the application folder in program files,
the application subfolder in program files\common files, the application
subfolder folder in the all users profiles\application data folder, or the
HKLM\software folder for the application. It is not always possible to solve
the problem with permission changes. If the user can run the application as
a power user then it should be able to be solved with modifying permissions.

If all that fails and since the clients are XP Pro you can use Software
Restriction Policies to restrict what application a domain user runs and
installs on their domain computer. This also can apply to local
administrators via the enforcement rule [except for safe mode]. Of course a
local administrator could always unjoin a computer from the domain to avoid
any domain policy assuming they know that they are an administrator, that
they know how, and would take the risk based on consequences in your user
computer use policy. The link below explains SRP more. You will probably
find that using hash and path rules will do what you want and check all the
files that are considered applications for SRP as admins usually get tripped
up not realizing that shortcuts are considered applications by default. ---
Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- SRP.

 

[Jimmy Andersson [MVP]]

In additions to Andrew's and Steven's great answers, you can also use the
Application Compatibility Toolkit to find out what the application tries to
do.

http://www.microsoft.com/windows/appcompatibility/default.mspx

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

Andrew gives great advice on tracking down permissions problems. Usually
you will find users denied access to the application folder in program
files, the application subfolder in program files\common files, the
application subfolder folder in the all users profiles\application data
folder, or the HKLM\software folder for the application. It is not always
possible to solve the problem with permission changes. If the user can run
the application as a power user then it should be able to be solved with
modifying permissions.

If all that fails and since the clients are XP Pro you can use Software
Restriction Policies to restrict what application a domain user runs and
installs on their domain computer. This also can apply to local
administrators via the enforcement rule [except for safe mode]. Of course
a local administrator could always unjoin a computer from the domain to
avoid any domain policy assuming they know that they are an administrator,
that they know how, and would take the risk based on consequences in your
user computer use policy. The link below explains SRP more. You will
probably find that using hash and path rules will do what you want and
check all the files that are considered applications for SRP as admins
usually get tripped up not realizing that shortcuts are considered
applications by default. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx -
-- SRP.

I have a bunch of application that needs admin rights to run. They will be
installed locally to the user PC is their away I can create a policy to
allow
the domain user to run these programs without giving them admin rights to
the
PC?

It would be great to have a domain wide policy but we could do local
policy
if need be. I realy don't want to have them do a run as.

It is a xp on 2003 enviroment.

Thank you for any help.

 

[Bruce Sanderson]

Another posssibility is to apply the compatws security template - use the
Security and Configuration Analysis mmc Snap-in. This changes the security
on variuos things that are often required so that users can run "not well
behaved" programs.

I also suggest contacting the program's vendor and suggest they modify their
application to follow the generic rules for Windows based applications so
customers don't have this problem.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.

Andrew gives great advice on tracking down permissions problems. Usually
you will find users denied access to the application folder in program
files, the application subfolder in program files\common files, the
application subfolder folder in the all users profiles\application data
folder, or the HKLM\software folder for the application. It is not always
possible to solve the problem with permission changes. If the user can run
the application as a power user then it should be able to be solved with
modifying permissions.

If all that fails and since the clients are XP Pro you can use Software
Restriction Policies to restrict what application a domain user runs and
installs on their domain computer. This also can apply to local
administrators via the enforcement rule [except for safe mode]. Of course
a local administrator could always unjoin a computer from the domain to
avoid any domain policy assuming they know that they are an administrator,
that they know how, and would take the risk based on consequences in your
user computer use policy. The link below explains SRP more. You will
probably find that using hash and path rules will do what you want and
check all the files that are considered applications for SRP as admins
usually get tripped up not realizing that shortcuts are considered
applications by default. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx -
-- SRP.

I have a bunch of application that needs admin rights to run. They will be
installed locally to the user PC is their away I can create a policy to
allow
the domain user to run these programs without giving them admin rights to
the
PC?

It would be great to have a domain wide policy but we could do local
policy
if need be. I realy don't want to have them do a run as.

It is a xp on 2003 enviroment.

Thank you for any help.

 

[Steven L Umbach]

That certainly can work but the thing I don't like about it is that it will
give users write access to places like the system folder, though it is a
better option that making the user a power user. Often a few tweaks will
allow an application to work if the user is lucky. --- Steve

Another posssibility is to apply the compatws security template - use the
Security and Configuration Analysis mmc Snap-in. This changes the
security on variuos things that are often required so that users can run
"not well behaved" programs.

I also suggest contacting the program's vendor and suggest they modify
their application to follow the generic rules for Windows based
applications so customers don't have this problem.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.

Andrew gives great advice on tracking down permissions problems. Usually
you will find users denied access to the application folder in program
files, the application subfolder in program files\common files, the
application subfolder folder in the all users profiles\application data
folder, or the HKLM\software folder for the application. It is not always
possible to solve the problem with permission changes. If the user can
run the application as a power user then it should be able to be solved
with modifying permissions.

If all that fails and since the clients are XP Pro you can use Software
Restriction Policies to restrict what application a domain user runs and
installs on their domain computer. This also can apply to local
administrators via the enforcement rule [except for safe mode]. Of course
a local administrator could always unjoin a computer from the domain to
avoid any domain policy assuming they know that they are an
administrator, that they know how, and would take the risk based on
consequences in your user computer use policy. The link below explains
SRP more. You will probably find that using hash and path rules will do
what you want and check all the files that are considered applications
for SRP as admins usually get tripped up not realizing that shortcuts are
considered applications by default. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx -
-- SRP.

I have a bunch of application that needs admin rights to run. They will
be
installed locally to the user PC is their away I can create a policy to
allow
the domain user to run these programs without giving them admin rights
to the
PC?

It would be great to have a domain wide policy but we could do local
policy
if need be. I realy don't want to have them do a run as.

It is a xp on 2003 enviroment.

Thank you for any help.