Running Applications and Adming Rights

[Barry Young]

I have an application that is installed on a XP machine that is part of a
network. In order to install the applications the user was made a part of
the Domain Admins group . The application was installed and working fine.
Then the network administrator removed the user out of the Domain Admins
group and now the application is having problems running. Files in the
application folder became read only, even after the user was given rights to
the application folders, things are not running properly.

What is the proper way to install an application on a machine in a domain
based environment?

You need admin rights to install, but then have problems running the
application.

The application also uses Palm Desktop and conduits, how do you manage the
installation of this logged on as Admin and then giving the appropriate
rights to the folders and application libraries.

Thanks!

Barry

 

[Colin Nash [MVP]]

First of all, you should never never never never give Domain Admin rights to
the users. That is completely unnecessary and pretty much allows that user
to destroy your whole domain. It's important to understand what "Domain
Admin" means.

You can give a user admin rights to a local machine. On the machine, run
LUSRMGR.MSC from Start --> Run and add them to the Administrators group.
This limits their 'power' to that specific computer.

The best practice though is to have all users run under standard user
accounts with no admin privileges. If the application insists on having
admin rights, you should re-evaluate its use and/or contact the publisher
for an updated version. Most properly-written applications will require an
administrator to install it, but can then be used by any user.

You might have to give NTFS permissions to some folders/files and
permissions to some registry keys if you want to keep the user limited while
allowing them to run programs that are poorly designed. There is no magic
bullet solution other than playing with the NTFS permissions and using
REGEDT32 to set permissions on whatever registry keys it tries to change.

From what I can recall about Palm's desktop software: You need to make the
user an administrator (of the workstation, not of the domain!!!), install it
under their profile, give them NTFS permissions to the C:\PALM folder (or
wherever it gets installed... maybe under PROGRAM FILES) , run the program
once doing a sync, and then remove the admin rights.

 

[Barry Young]

Thanks Colin,

Again, I didn't give the Domain Admin rights, I am an application developer
that is trying to install an application and the Network Admin set the user
access rights for the install. I installed a Access 2000 app and Palm
Desktoip and a specialized conduit app, and everything worked fine under the
user as admin.

The application is an Access 2000 application using their local platform
configuration. I create an MDE file (runtim file) and copy the file to
their machine and run it under Access 2000. I have had strange things
happen as a result of Admin vs User rights to the machine. In this cases, I
have had to copy the source code to the target machine and create the MDE or
compile the app on the machine to get it to run. If I compile it on another
XP machine and copy the file I get reference errors. (This is probably and
Access Forum Question).

So my question now is, the application was installed under the User as part
of the Admins Domain Group. Now the user has been removed from this group ,
the Admin has granted read / write access to all the application folders,
and still is having problems accessing the file. If they log on as Admin,
no problem... If they log on as a user who has been given the rights, still
this user has problems.

Basically, the goal is not to have to return on-site and re-install
everything.

Any suggestion on what to do?

Thanks for all of your help!

Barry

 

[Colin Nash [MVP]]

Well you can still give the user Admin rights to workstation. It's bad, but
not as bad as Domain Admin. (Domain Admin could delete everybody else's
account if he wanted to... or wipe out the files on servers)

You should be able to remotely connect to the computer and add the user to
the *local* admin group. Have the network admin do this:

Run COMPMGMT.MSC from Start ---> Run. Right-click on the top where it says
"Computer Management (Local)" and choose Connect to another computer...
Type the name of the computer (or browse to it.) Click OK. Under the
Local Users and Groups section, open up the Administrators group and add the
users domain account into there (for example DomainName\BOB.) Actually, try
it with "Power Users" instead of "Administrators" first, and see if that
works. Changes will take effect the next time the user logs out and back
into the system.

As a network admin, I would want you, as a developer, to make your app work
while logged in with a non-privileged account. I don't know enough about
development to really help you with that. Anyway, that's where I'm coming
from here

--
Colin Nash
Microsoft MVP
Windows Printing/Imaging/Hardware