Re: Allow user to run application as a power user
- From: "Björn Holmgren" <bjohol@xxxxxxxxxxx>
- Date: Thu, 26 May 2005 13:50:52 +0200
"Ed Murphy" <EdMurphy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2139A0D4-CB28-45F1-BC9C-249F2B36D74A@xxxxxxxxxxxxxxxx
> Hello,
>
> I have an application that I am distributing with SMS. The problem that I
> am having is that the application, now on the target machine, requires
power
> user or admin privledges to run. I can run the application via sms in the
> system context, but that will not help, since the app configures the
user's
> environment.
>
> So unless someone knows of an easier solution, I need to run a script, in
> the system context that makes the current logged on user a member of the
> local power users group, if they are not already a member of that group or
> the admins group and then run the application under the user's context.
> Finally, after the application is complete, the script, under the system
> context again, would then revert the user back to his former permission
> level, i.e., return user to former group memberships.
>
> I don't think that this can be done with one script, because of the
context
> issues. But, since I am using SMS, I can use three different scripts and
> chain them together.
>
> 1. Promote the current logged in user to a member of the local power
users
> group, if needed.
> 2. Run the application under the user's context.
> 3. Demote the current logged in user back to his original group
memberships.
>
> Since we don't normally allow membership in the power users group, I guess
> it would be ok to specifically remove the user from the power users, but
if,
> in the future, we did allow permanent power users, this approach could
cause
> problems.
>
> Another concern is security. I realize that during the period between the
> first and third scripts that the user could exploit the elevated
privledges.
> Worse yet, they could kill the process before the third script can run,
which
> would leave them in the elevated state.
>
> Unfortunately, I am really just learning to script, so the details are
> currently beyond me. I am not sure if these scripts should be in VB or
not.
> If anyone could offer suggestions or point me in the right direction, I
would
> be grateful.
>
> Thanks,
>
> Ed
Hi Ed,
My main concern with your proposed solution is that in order for the system
to recognize the user as a power user (ie member of the power users group),
the user would have to logoff/logon before starting the application (but
after joining the power users group).
The best solution IMO - if at all possible - would be to find out exactly
what makes the application require poweruser/admin privileges, and then
tweak the installation package to give normal users the rights needed, for
instance via secedit. If security changes are extensive, it's probably
better to just grant the user power user privileges permanently (or for as
long as he/she is using the application).
--
Björn Holmgren
.
- Follow-Ups:
- Re: Allow user to run application as a power user
- From: Ed Murphy
- Re: Allow user to run application as a power user
- References:
- Allow user to run application as a power user
- From: Ed Murphy
- Allow user to run application as a power user
- Prev by Date: Re: Calling a file for VBscript in a bat file
- Next by Date: Command execution in VBScript
- Previous by thread: Allow user to run application as a power user
- Next by thread: Re: Allow user to run application as a power user
- Index(es):
Relevant Pages
|
