Group policy

[Guest]

I am new to AD and group policy. Our environment is mixed mode as we have NT
and 2000 servers. I have two questions:
1. There is a software application for a certain group of users (Windows XP
pro), which requires local admin rights on the PC. Is there a way so that
users can use this application even though they are power users? If yes, how
to configure this using group policy?
2. For certain users, I need to lock down few of the the PCs in general
area. These users only require printer management and running an application
using IE. I also want that when a tech logs on these PCs, he/she has complete
access to all the resources on these PCs? I need to have some tips on
defining group policies for either these users or for these computers?

 

[Tomasz Onyszko]

I am new to AD and group policy. Our environment is mixed mode as we have NT
and 2000 servers. I have two questions:
1. There is a software application for a certain group of users (Windows XP
pro), which requires local admin rights on the PC. Is there a way so that
users can use this application even though they are power users? If yes, how
to configure this using group policy?

I don't know requiremements of this application but in most cases no -
What You should do is to run Filemon and regmon (both great tools from
sysinternals.com) and check which permissions this application requires
on the file system and registry - in most cases You will be able to
configure system permissions to let Your user use this application
without giving them Admin rights.

2. For certain users, I need to lock down few of the the PCs in general
area. These users only require printer management and running an application
using IE. I also want that when a tech logs on these PCs, he/she has complete
access to all the resources on these PCs? I need to have some tips on
defining group policies for either these users or for these computers?

Grup users which has to have limited access in one OU, configure GPO
which will lockdown configuration of the PC on this OU level. Create
second group of users which has to have full access to this PCs - crete
security group for them - for example Tech_Users. Use GPO restricted
groups option to force this group as a member of Administrators group.

http://support.microsoft.com/kb/q279301

 

[Marco]

Rajeev

modifying ACLs on files and registry keys works most of the times. Some
applications set some registry keys under HKCU where the current user is the
user that installed the application and that will not work when running
under a different user account as the registry hive will not be available at
all. if that is the case you may want to give our own NeoExec for Active
Directory a go.

ps: in some case you may also export and import the registry keys but it
does not work all the times.

cheers,

Marco
www.neovalens.com

 

[Cary Shultz [A.D. MVP]]

Rajeev,

As Tomasz suggested, you might want to use Regmon and Filemon from
http://www.sysinternales.com and see what directory structure and/or reg
keys are creating the problems ( meaning, access denied or whatnot ).

Now, is this to use the software or to install the software? I would think
that this would simply be to install the software but that after it is
installed they can be members of the Users group or of the Power Users group
and use it to its fullest. If this is indeed the case then I might suggest
that you consider using GPO to install the software ( or, in GPOesse, deploy
the application ). You can do this so that it is assigned to the computer
configuration or that it is assigned/published to the user
configuration......

For the second point, I might consider locking down the computers via Group
Policy Loopback processing. This is a really neat thing and very easy to
do. A lot of people do this for Terminal Servers and for Kiosk machines.
You would simply make a security group that contains your tech people and
make sure that they are not included. Tomasz is pretty much telling you the
same thing.

HTH,

Cary

 

[Guest]

Thank you all for all your suggestions. The problem is not with install. We
can install the apps with no problems, but when I logon as user who is a
power user, the application starts but hangs before login screen for this
application. We have tried giving permissions to application folders etc, but
no help. The moment you make this user a local admin, everything works. This
is only the client component of the main application which is running on a
separate server. It has its own database. I was discussing this with the
application provider and they says that to run the application on a PC, one
has to have the local admin rights. So, I belive, I have no choice for this
one.

For the second part I will try as suggested and hope this works.

Rajeev A.

 

[Guest]

Hi All,

I have found a solution to my local admin rights and the application
problem. I provided the full control rights to the application using
regedit->local machine->software-> application and here I changed the
permission and now I am able to work on this application from any user mode (
local admin or power user).

Now I need help creating a GPO to apply to this applicaion user community.
Any suggestions are welcome!

Thanks and regards

Rajeev Agarwal