Re: Desktop Icons and Least User Privilege

Tech-Archive recommends: Fix windows errors by optimizing your registry


The date and time was 2/28/2008 5:35 PM, and on a whim, Thomas M. pounded out on the keyboard:


XP SP2

We are in the process of restricting all our employees to standard user accounts on the desktop. For the most part this has all gone just fine, but today I ran into a problem that I have not previously encountered. I converted a group of users to standard user accounts and all of them lost the ability to launch Attachmate Extra from the desktop icon. Now, I tested Extra in advance and found that I needed to tweak the NTFS permissions to make it run as a standard user, and I added the appropriate file rights to our group policy. In fact, I currently have standard users running Extra without problems, so I know that I've got that end of things nailed down. The problem today was that the desktop icon does not work, and when I checked the properties of the icon I found that all the fields had been emptied out. This situation never arose in our testing.

I have the same problem with another product called BeyondCompare.

Both the Extra and BeyondCompare icons are located on the All Users desktop. There are other icons on the All Users desktop that appear to have been unaffected, or at least no one complained about them today.

Does anyone know why the icons for these two products were essentially made into empty shells simply by removing the admin rights of the user? Does this have something to do with the way the installation packages for these products created the shortcuts? Also, can I possibly fix the problem by giving the user rights to those specific icons via the group policy?

Any information you can offer will be greatly appreciated.

--Tom



Hi Tom,

We have users connecting to TS via RDP, and I had to add user rights to the specific icons in order for the user to gain access to the program. That may be the same in your situation.

--
Terry R.

***Reply Note***
Anti-spam measures are included in my email address.
Delete NOSPAM from the email address after clicking Reply.
.

Relevant Pages

  • Desktop Icons and Least User Privilege
    ... We are in the process of restricting all our employees to standard user ... accounts on the desktop. ... make it run as a standard user, and I added the appropriate file rights to ... Both the Extra and BeyondCompare icons are located on the All Users desktop. ...
    (microsoft.public.windowsxp.general)
  • Re: Problems assigning apps via Policy
    ... The apps are showing up correctly in "Add/remove Programs", ... I assume the icons are in the package, ... the Windows Group Policy Guide is out from Microsoft Press!!! ... The apps are visible in "Add New ...
    (microsoft.public.windows.group_policy)
  • Re: Preventing a user from accessing the desktop...
    ... I do use group policy but there isn;t anaything to prevent them from using ... YOu can disable all icons on teh desktop but can't prevent ... > If you have setup group policy, ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Problems assigning apps via Policy
    ... I'm assuming that the package actually includes the icons? ... using per-machine deployment they are not getting put into the All Users ... the Windows Group Policy Guide is out from Microsoft Press!!! ...
    (microsoft.public.windows.group_policy)
  • Re: Problems assigning apps via Policy
    ... Well if AllUsers is not set then the package assume a per-user install so ... So, if the icons are there on manual install, then they ... the Windows Group Policy Guide is out from Microsoft Press!!! ...
    (microsoft.public.windows.group_policy)