Re: 2003 AD
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 01/19/05
- Next message: Cary Shultz [A.D. MVP]: "Re: Using Group Policy to give install permission"
- Previous message: Cary Shultz [A.D. MVP]: "Re: software deployment .MST files"
- In reply to: B Pollick: "2003 AD"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 18 Jan 2005 19:13:07 -0500
B,
There is something called 'Restricted Groups' GPO that might help you.
Please look at the following MSKB Articles:
http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076
Please pay particular attention to the IMPORTANT note in 320065! You could
try Power Users first and then, if necessary, Administrators.
However, there might be a better way. Usually the application needs access
to certain areas of the registry or to some folder(s). There might be an
easy answer. Simply give the users the necessary permissions to those
registry and / or folder(s). Now, how to determine the who and the what?
Look at regmon and filemon at http://www.sysinternals.com for the answer!
And do not get me started on the application needing the domain user account
objects to be members of the local Administrators group!!!! Lazy
programmers!!!!!! Well, not always. If it is an older application ( really
'older' ) when WIN98 was the king....
-- Cary W. Shultz Roanoke, VA 24014 Microsoft Active Directory MVP http://www.activedirectory-win2000.com http://www.grouppolicy-win2000.com "B Pollick" <B Pollick@discussions.microsoft.com> wrote in message news:73A55532-F27A-4EE8-A585-78581860176A@microsoft.com... > We are moving to AD from a NT 4.0 domain structure. Everything is going > well > for the exception that some application such as Application Extender and > E-Backoffice require that the user be a member of the local administrators > group on the local machine. I think this is because the application are > attempting to write to the registry; (e-backoffice error, Can not create > user > key). Is there a way within the GPO to allow these applications to > function > correctly yet have the security locked down at the workstation level? Any > assistance would be great.
- Next message: Cary Shultz [A.D. MVP]: "Re: Using Group Policy to give install permission"
- Previous message: Cary Shultz [A.D. MVP]: "Re: software deployment .MST files"
- In reply to: B Pollick: "2003 AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
