Re: allow users to run application

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/19/05 

Date: Sat, 19 Feb 2005 13:04:27 -0600

Andrew gives great advice on tracking down permissions problems. Usually you
will find users denied access to the application folder in program files,
the application subfolder in program files\common files, the application
subfolder folder in the all users profiles\application data folder, or the
HKLM\software folder for the application. It is not always possible to solve
the problem with permission changes. If the user can run the application as
a power user then it should be able to be solved with modifying permissions.

If all that fails and since the clients are XP Pro you can use Software
Restriction Policies to restrict what application a domain user runs and
installs on their domain computer. This also can apply to local
administrators via the enforcement rule [except for safe mode]. Of course a
local administrator could always unjoin a computer from the domain to avoid
any domain policy assuming they know that they are an administrator, that
they know how, and would take the risk based on consequences in your user
computer use policy. The link below explains SRP more. You will probably
find that using hash and path rules will do what you want and check all the
files that are considered applications for SRP as admins usually get tripped
up not realizing that shortcuts are considered applications by default. ---
Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
  --- SRP.

"Paul" <Paul@discussions.microsoft.com> wrote in message
news:FE93CB2D-A852-4991-AE45-41C36E1A9EE6@microsoft.com...
>I have a bunch of application that needs admin rights to run. They will be
> installed locally to the user PC is their away I can create a policy to
> allow
> the domain user to run these programs without giving them admin rights to
> the
> PC?
>
> It would be great to have a domain wide policy but we could do local
> policy
> if need be. I realy don't want to have them do a run as.
>
> It is a xp on 2003 enviroment.
>
> Thank you for any help.

Relevant Pages

  • Re: Trouble with Win2003 Folder Redirection Policy
    ... giving NTFS permissions to that group. ... From what information you've given me the policy is correct as long as ... The user's home folder in the profile section of the AD has been ... updated to the new server as well. ...
    (microsoft.public.windows.server.general)
  • Re: recurring 1058/1030 USERENV events every 5 mins
    ... This posting is provided "AS IS" with no warranties, ... The policy causing the 1058 messages ... permissions either so surely if this was the issue the messages ... Root folder is the highest folder so "windows" ...
    (microsoft.public.windows.server.general)
  • Re: recurring 1058/1030 USERENV events every 5 mins
    ... permissions either so surely if this was the issue the messages would ... Root folder is the highest folder so "windows" ... Default Domain Policy and is one i have customised over time. ... Also one of the articles mentions permissions for the "everyone" ...
    (microsoft.public.windows.server.general)
  • Re: AD DC and File Permissions
    ... The Group policy setting for file and folder security is found under ... > NIL about file permissions there. ...
    (microsoft.public.win2000.active_directory)
  • Re: SBS03 Repair redirected My Documents permissions
    ... I wonder what would happen if you edited the redirection policy to include the setting "grant the user exclusive rights to documents," and then did a gpupdate /force. ... I know that's the setting that will set the permissions correctly for new folders, but I have no idea whether or not it'll change the existing ones, either when the policy updates on the SBS, or when the user logs into a workstation and the policy gets applied. ... Am I correct in assuming that I should let the permissions from the folder ...
    (microsoft.public.windows.server.sbs)