Group Policy to allow user to run program without bring local admi

[Guest]

I looked but didn't see this elsewhere so hopefully I'm not making a repeat
request.

I've got a 2K enviroment w/SP4 and XP clients most w/SP2.

Is there anyway, using group policy, that I can allow a user to run a
program that normally would require them to be set up as a local
administrator? We have some software, ie Payroll, bank software, that require
the user to have local adminstrator rights...not to just install but actually
run. A few will let me take them down to Power User but there are still a few
that will not run unless they are a local admin. I want to be able to take
away the admin and power user rights and let them return to being a
restricted user.

Thanks in advance.

 

[Herb Martin]

I looked but didn't see this elsewhere so hopefully I'm not making a repeat
request.

I've got a 2K enviroment w/SP4 and XP clients most w/SP2.

Is there anyway, using group policy, that I can allow a user to run a
program that normally would require them to be set up as a local
administrator?

Not really.

We have some software, ie Payroll, bank software, that require
the user to have local adminstrator rights...not to just install but actually
run. A few will let me take them down to Power User but there are still a few
that will not run unless they are a local admin. I want to be able to take
away the admin and power user rights and let them return to being a
restricted user.

Such software should be replaced -- it is incorrectly designed
but the reality may be you cannot do this at this time.

Basicly you need to make the users local administrators of their
own machine (probably.)

 

[Ace Fekay [MVP]]

Such software should be replaced -- it is incorrectly designed
but the reality may be you cannot do this at this time.

Basicly you need to make the users local administrators of their
own machine (probably.)

Or you can give the user account access to the registry keys the software is
trying to access/alter/change. Bu I agree, it would be much easier and more
secure if there's an updated version of the software that will run under the
current operating systems.

--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jimmy Andersson [MVP]]

IIRC, the Application Compatibility Tools have a "fix" that usually can take
care of these kind of probs... Do a search for ACT on
www.microsoft.com/downloads, I know I've used that "feature" a while
back....

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Ace Fekay [MVP]]

In

IIRC, the Application Compatibility Tools have a "fix" that usually
can take care of these kind of probs... Do a search for ACT on
www.microsoft.com/downloads, I know I've used that "feature" a while
back....

Regards,
/Jimmy

Thanks, Jimmy. Didn't know this one existed.

Here's the link:
http://www.microsoft.com/downloads/...55-b8a4-46cd-a236-3159970fde94&DisplayLang=en

Ace

 

[Herb Martin]

Or you can give the user account access to the registry keys the software is
trying to access/alter/change. Bu I agree, it would be much easier and more
secure if there's an updated version of the software that will run under the
current operating systems.

This is very difficult to do in practice -- not the act of
granting the access, that's trivial but rather finding which
registry and perhaps file permissions to change.

Anyone wishing to do this will likely need something like
the file and registry monitor tools (free) from SysInternals.com

Maybe even have to monitor system objects or tokens etc.

You basically run these things while using the software and
log what the they touch. You might also have to enable some
complicated registry and file AUDITING scheme to discover
anything you miss (audit for failures of object access -- that's
the easy part.)

Obviously, from the above, I have done this, but it is not fun
usually and not always (immediately) successful.

 

[Herb Martin]

IIRC, the Application Compatibility Tools have a "fix" that usually can take
care of these kind of probs... Do a search for ACT on
www.microsoft.com/downloads, I know I've used that "feature" a while
back....

Now, that's cool. If I knew about these then I had forgotten
them.

Thanks

--
Herb Martin

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Guest]

Thank you to everyone who responded. I'm going to give the Windows
Application Compatibility Toolkit a try and see what I can do. I wish
something could be done about the software but what we use comes directly
from the bank we do business with and ADP. Any complaints I have just fall on
deaf ears.

 

[Guest]

And the file and registry monitor tools (free) from SysInternals.com. Didn't
want to forget that.

 

[Herb Martin]

And the file and registry monitor tools (free) from SysInternals.com. Didn't
want to forget that.

There are a LOT of other cool (and mostly free) tools
there too.

 

[Ace Fekay [MVP]]

In

There are a LOT of other cool (and mostly free) tools
there too.

There's a tool called ART (Adv Reg Tracer), that will show you what registry
settings are attempting to be modified or accessed by the app. Of course,
one needs to be logged in to the machine as an admin or Power User to allow
the changes so this picks it up. There are other tools in the link below as
well, that can be used.

http://www.softlandmark.com/Registry.htm

But I would try the Application Compatibility tool first.

Ace