Re: Administrator Rights
- From: Bruce Chambers <bchambers@xxxxxxxxxxxx>
- Date: Fri, 09 Sep 2005 21:52:13 -0600
Frank wrote:
I'd like to know how others deal with programs that require Administrator rights or they refuse to run. I'm currently running Windows 2000 Pro, but I'll be moving to XP and the issue is the same with either OS.
I don't want my domain users to have Administrator rights because they install things like webshots and ITunes and other junk that could lead to spyware.
How do others balance this?
Thanks!
Nothing to balance, really; or rather, it's no contest. We don't sacrifice security for the sake of using obsolete or poorly designed applications. If an application cannot be configured to work on a secured OS, we simply take our business elsewhere, and buy an equivalent application (preferably from a competitor of the failed application's manufacturer) that will work. (Unfortunately, not everyone has the option of replacing obsolete - from a security point of view - software when needed.)
For those rare occasions when a legacy application must remain in use, for business reasons, the following may help:
You may experience some problems if the software was designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly designed. Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders.
For example, saved data may be stored in a sub-folder under the application's folder within C:\Program Files - a place where no inexperienced or limited user should ever have write permissions.
It may even be that the software requires "write" access to parts of the registry or protected systems folders/files that are not normally accessible to regular users. (This *won't* occur if the application is properly written.) If this does prove to be the case, however, you're often left with three options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), explicitly grant normal users elevated privileges to the affected folders and/or part(s) or the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP.
Some Programs Do Not Work If You Log On from Limited Account http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091
Additionally, here are a couple of tips suggested, in a reply to a different post, by MS-MVP Kent W. England:
"If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default.
C:\>cacls "Program Files\appfolder" /e /t /p users:c
where "appfolder" is the folder where the application is installed.
If you wish to undo these changes, then run
C:\>cacls "Program Files\appfolder" /e /t /p users:r
If you still have a problem with running the program or saving settings on limited accounts, you may need to change permissions on the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is the key that the software vendor used for your specific program. Change the permissions on this key to allow Users full control."
--
Bruce Chambers
Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html
You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH
.
- References:
- Administrator Rights
- From: Frank
- Administrator Rights
- Prev by Date: Re: Stop IE6 'condensing' open browsers on task bar??
- Next by Date: Re: Help won't help! :)
- Previous by thread: Re: Administrator Rights
- Next by thread: Changed 2nd Hard Disk stops system
- Index(es):
Relevant Pages
|
