Program needs Administrator access

[Guest]

I have a group of windows xp computers that run Autocad. I can not run the
program unless they have administrative privileges. If I use the runas
shortcut I can run the program, but, the user can not open their network
drive to find one of there files. I can not make each user a local
administrator because I have 1000 users (that change yearly). Is there a way
to make every authenticated user logon with local administrator privileges at
logon, or some other access to the program I’m not thinking of?

 

[Colin Nash [MVP]]

I have a group of windows xp computers that run Autocad. I can not run the
program unless they have administrative privileges. If I use the runas
shortcut I can run the program, but, the user can not open their network
drive to find one of there files. I can not make each user a local
administrator because I have 1000 users (that change yearly). Is there a
way
to make every authenticated user logon with local administrator privileges
at
logon, or some other access to the program I'm not thinking of?

Often you can get these apps to work by giving Modify NTFS permissions to
the program folders, to the users and/or giving them permissions to modify
the registry keys associated with the app.

If that fails, you could add INTERACTIVE to the local admin group on the
workstations if you really want to let every person who logs on locally to
have admin rights. This is slightly better than adding "Everyone" because
at least people will need to physically access the workstation to gain the
admin privilege. It's still not a great idea security-wise though.

If you have a domain, you could create an "Autocad Users" group and then add
this group to the local administrators group on workstations (either
manually or automatically with a restricted groups group policy.) Then you
just need to populate this group with the appropriate users, as they come
and go.

If this is a school-type setting you may want to look into the Shared
Computer Toolkit which will let you put some restrictions on the systems
even if you are giving everyone the admin rights.
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx . Specifically,
the Windows Disk Protection feature may be of use (it can reset all changes
made to the hard drive back to initial settings on each reboot.)

 

[Bruce Chambers]

I have a group of windows xp computers that run Autocad. I can not run the
program unless they have administrative privileges. If I use the runas
shortcut I can run the program, but, the user can not open their network
drive to find one of there files. I can not make each user a local
administrator because I have 1000 users (that change yearly). Is there a way
to make every authenticated user logon with local administrator privileges at
logon, or some other access to the program I’m not thinking of?

You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions. (Games
are particularly likely to follow this horrible practice.)

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."



--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

 

[Guest]

Another point to watch is that in earlier releases, changing user broke the
registration/activation. Might have been fixed by now, but I'd not make any
assumptions on this.

 

[Marco Peretti]

I have a group of windows xp computers that run Autocad. I can not run the
program unless they have administrative privileges. If I use the runas
shortcut I can run the program, but, the user can not open their network
drive to find one of there files. I can not make each user a local
administrator because I have 1000 users (that change yearly). Is there a
way
to make every authenticated user logon with local administrator privileges
at
logon, or some other access to the program I'm not thinking of?

http://nonadmin.editme.com/ has a few other suggestions and links to a few
tools that may help.

cheers,

Marco

marco [alla] neovalens [punto] com

 

[Guest]

Thanks Colin / others, Interactive logon worked.
I'm not overly happy with the amount of security it gives the user, but I
need to deploy this lab ASAP for other reasons. Modifying NTFS permissions
didn't seem to work, and I not sure about the registry settings. I will try
some of the other fore mentioned solutions.
This is a school setting.

MCP, MCSE, A+, Apple, etc. etc.

 

[Steven L Umbach]

If you can not get the application to work for regular users then it still
is worthwhile to use Group Policy and Software Restriction Policies to try
and lock users down. This will not stop determined and skilled users from
doing things to the computer that are not wanted but probably will restrict
the vast majority of users that do not understand what the administrator
account is and can do or do not care. Adding the users to a global group
[assuming an Active Directory domain here] and giving that group deny
permissions for write and delete to the program files folder and system
folder may be worth attempting though the users may need more access to the
application folder itself in the program files folder. --- Steve

 

[Blackhole]

...........................

If that fails, you could add INTERACTIVE to the local admin group on the
workstations if you really want to let every person who logs on locally to
have admin rights. This is slightly better than adding "Everyone" because
at least people will need to physically access the workstation to gain the
admin privilege. It's still not a great idea security-wise though.

If you have a domain, you could create an "Autocad Users" group and then
add this group to the local administrators group on workstations (either
manually or automatically with a restricted groups group policy.) Then
you just need to populate this group with the appropriate users, as they
come and go.

How does INTERACTIVE differ from doing the autocad users domain group? I
know (from testing it) that by doing the autocad group and adding them to
the local admin group through group policy, it gived them local admin to
every PC. The unfortunate side effect is they can be on one PC and then
browse another PC's admin shares ( IE \\PC-a\c$) across the network. Not
good. Local admin I could deal with in our situation, browsing other
peoples PC's across the network I can't!