Re: Programs that need admin rights, but user shouldn't have them

Looks like I actually got by by just upgrading the permissions on the
folders for domain\username to admin rights.

Done



"Repent34" <Repent34@xxxxxxxxxxxxxx> wrote in message
news:e9xvAGIbFHA.2980@xxxxxxxxxxxxxxxxxxxxxxx
> Bruce;
>
> thanks for the detailed reply.
>
> I am seeing #6 to be true. Some GPO settings stick and some don't. I did
> see in some of the helps that some settings talked about being able to be
> overwritten by local admins. Laziness on the part of the software vendors
> I'd guess. One of my biggest culprits is UPS Worldship. I think I may
> try a combination of 6-7. I like the idea of groups.
>
> I'll post here when I find the solution that works.
>
> chris
>
>
>
>
>
>
> "Bruce Sanderson" <Bruce.Sanderson@xxxxxxxxx> wrote in message
> news:egLDkUGbFHA.3120@xxxxxxxxxxxxxxxxxxxxxxx
>> 1. complain to the application vendor that their application is not "well
>> behaved" and they should modify it so it doesn't need "Administrator"
>> privileges.
>>
>> 2. in many such cases, applications only need the ability to modify files
>> in some folders that "Users" are not permitted by default to change. For
>> example, many "ill behaved" applications insist on storing data or
>> configuration information in their Program Files folder. In these cases,
>> if you grant Users "Modify" permission to those folders, they will no
>> longer need to be "Administrators" to run the application.
>>
>> 3. the Security Template called "compatws" selectively modifies
>> permissions on some folders and registry entries in such a way the "ill
>> behaved" applications can run with only User privileges. You apply
>> Security Templates using the "Security Configuration and Analysis" MMC
>> snap-in.
>>
>> 4. in some cases, the application's installation process will allow you
>> to specify where data and configuration files are to go. If you specify
>> a location that Users can Modify, they won't need to be Administrators to
>> run the application.
>>
>> 5. in some cases, the application's configuration files or registry
>> entries can be modified to specify that data files are to be stored in a
>> location other than the default. If this is the case, you can move the
>> data files to a location that Users can modify. You may have to contact
>> the vendor or do some investigation (using a tool like regmon or filemon
>> from System Internals) to find out if this is practical.
>>
>> If none of the above is useful:
>>
>> 6. some settings made via GPOs can not be overriden by anyone that is an
>> Administrator on the computer (e.g. some of the Windows XP Firewall
>> settings), but others CAN be overriden by a local administrator. There
>> is not much you can do about this except not make the user an
>> Administrator. Often, the "Explain" or "Help" for these settings
>> indicates whether a local administrator can override the setting or not.
>>
>> 7. the GPO(s) may have Security Filtering or "Delegation" that prevents
>> the GPO from applying to user accounts in certain groups (e.g. a domain
>> group used to grant Administrator rights on workstations). In this case,
>> it may be possible to have one group for "true administrators" and
>> another group for "users that need to be administrators to run
>> applications". Both groups could be added to the local administrators
>> group on the workstation. Then, you could cause the GPO to be applied
>> for the second group, but not the first (but see 6 above).
>>
>> --
>> Bruce Sanderson MVP
>>
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>> "Repent34" <Repent34@xxxxxxxxxxxxxx> wrote in message
>> news:eDopEvFbFHA.3328@xxxxxxxxxxxxxxxxxxxxxxx
>>>I have several programs that users need to run. These programs require
>>>the user to have local machine and domain local admin rights. I have
>>>noticed that they are now able to bypass alot of the GPO settings because
>>>of their admin rights. Is there a setting in the GPO's that will make
>>>the GPO's apply to them as well. I want these users to be as restricted
>>>in what they can do as everyone else.
>>>
>>> chris
>>>
>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Program needs Administrator access
    ... application folder itself in the program files folder. ... administrator because I have 1000 users. ... to make every authenticated user logon with local administrator ... even if you are giving everyone the admin rights. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How do manage your workstations?
    ... For the most part these functions require a local administrator rights. ... if I'm just doing a handful of workstations. ... install authorized programs and altering system settings. ...
    (microsoft.public.windowsxp.general)
  • Re: Keyboard Regional Settings Not Saved
    ... Delete ALL profiles EXCEPT the local and domain administrator, Default User and All Users. ... Log in as domain administrator (or an administrative user other than local administrator) ... Go into the control panel and change ALL regional/locale/keyboard features to the selected country, and apply to the current and default user profile ... This is intensely annoying, especially as the end-users are severely restricted by group policy in what they can open/use/change, so they cannot edit the regional settings while logged in themselves. ...
    (microsoft.public.windowsxp.general)
  • Re: Local "Administrator" Account
    ... activity domain but noticed he did not have admin rights so I logged on as ... the local administrator account. ... The local administrator does not have ...
    (microsoft.public.windowsxp.security_admin)
  • [NEWS] Multiple Vulnerabilities with Pingtel xpressa SIP Phones
    ... remote administrative configuration of the phone's settings. ... The Pingtel xpressa SIP-based phone ships with no administrator password, ... Requiring Authentication of Incoming Calls ... Altering the Behavior of the Web Server ...
    (Securiteam)