Re: Programs that need admin rights, but user shouldn't have them
- From: "Bruce Sanderson" <Bruce.Sanderson@xxxxxxxxx>
- Date: Wed, 8 Jun 2005 13:03:24 -0700
1. complain to the application vendor that their application is not "well
behaved" and they should modify it so it doesn't need "Administrator"
privileges.
2. in many such cases, applications only need the ability to modify files in
some folders that "Users" are not permitted by default to change. For
example, many "ill behaved" applications insist on storing data or
configuration information in their Program Files folder. In these cases, if
you grant Users "Modify" permission to those folders, they will no longer
need to be "Administrators" to run the application.
3. the Security Template called "compatws" selectively modifies permissions
on some folders and registry entries in such a way the "ill behaved"
applications can run with only User privileges. You apply Security
Templates using the "Security Configuration and Analysis" MMC snap-in.
4. in some cases, the application's installation process will allow you to
specify where data and configuration files are to go. If you specify a
location that Users can Modify, they won't need to be Administrators to run
the application.
5. in some cases, the application's configuration files or registry entries
can be modified to specify that data files are to be stored in a location
other than the default. If this is the case, you can move the data files to
a location that Users can modify. You may have to contact the vendor or do
some investigation (using a tool like regmon or filemon from System
Internals) to find out if this is practical.
If none of the above is useful:
6. some settings made via GPOs can not be overriden by anyone that is an
Administrator on the computer (e.g. some of the Windows XP Firewall
settings), but others CAN be overriden by a local administrator. There is
not much you can do about this except not make the user an Administrator.
Often, the "Explain" or "Help" for these settings indicates whether a local
administrator can override the setting or not.
7. the GPO(s) may have Security Filtering or "Delegation" that prevents the
GPO from applying to user accounts in certain groups (e.g. a domain group
used to grant Administrator rights on workstations). In this case, it may
be possible to have one group for "true administrators" and another group
for "users that need to be administrators to run applications". Both groups
could be added to the local administrators group on the workstation. Then,
you could cause the GPO to be applied for the second group, but not the
first (but see 6 above).
--
Bruce Sanderson MVP
It's perfectly useless to know the right answer to the wrong question.
"Repent34" <Repent34@xxxxxxxxxxxxxx> wrote in message
news:eDopEvFbFHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
>I have several programs that users need to run. These programs require the
>user to have local machine and domain local admin rights. I have noticed
>that they are now able to bypass alot of the GPO settings because of their
>admin rights. Is there a setting in the GPO's that will make the GPO's
>apply to them as well. I want these users to be as restricted in what they
>can do as everyone else.
>
> chris
>
>
>
>
.
- Follow-Ups:
- References:
- Prev by Date: Programs that need admin rights, but user shouldn't have them
- Next by Date: Re: GP Firewall Settings
- Previous by thread: Programs that need admin rights, but user shouldn't have them
- Next by thread: Re: Programs that need admin rights, but user shouldn't have them
- Index(es):
Relevant Pages
|
Loading
