Re: Making Users Power Users, Without Install Privlidges

Hi there,

We have a similar problem (well, we did). All of our users on one forest
were all local administrators (as set by my predecessor). I've just finished
'moving' them out of Administrators and back as domain users.

I found NTRegMon (available at www.sysinternals.com) very helpful for
trapping application rights and such.

A trick that worked for me was to login as a USER (but one that isn't locked
down by GPOs), open up a command-prompt, use RUNAS to run NTRegMon as an
administrator. Then clear the NTRegmon screen (so it pauses logging and
clears the screen). Then enable logging just before you run the app.
Don't do much else with the app, just close it, then pause monitoring on
NTRegMon but DO NOT clear the screen. And then add a filter for 'DENIED' on
the filter control panel and check through the list of things that it shows
you in the panel.

Hope that helps somewhat, as Dmitry said though - you want to give them ONLY
the rights they need to run the applications successfully, little point
granting them higher access (like power users) and then trying to restrict
them, it's not the easiest way to do it IMO.

"Dmitry Korolyov [MVP]" wrote:

> Grant users registry permissions they need. You can do this for a large
> amount of users/computers with group policy.
> You can use ntregmon utility to check which registry keys/values are used by
> application and find out which kind of access this application tries to get.
>
> --
> Dmitry Korolyov [d__k@xxxxxxxxxxxxxxxxxxxxxx]
> MVP: Windows Server - Directory Services
>
>
> "Michael" <Michael@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:FD29C9CA-499C-4592-ABBA-BF8C87CB977C@xxxxxxxxxxxxxxxx
> >I need to make some of my users power users, without giving them
> >installation
> > rights ?
> >
> > I have installed a new application that needs to access the registry, but
> > I
> > do not want users to be able to install applications.
> >
> > Any help is greatly appreciated.
> >
> > Michael
>
>
>
.

Relevant Pages

  • Re: Who can alter User rights ?
    ... There are certain rights that administrators need to have - otherwise you can ... Co-author of "The .NET Developer's Guide to Directory Services ... And every registry key has it's own permissions. ... By default administrators can alter user rights. ...
    (microsoft.public.platformsdk.security)
  • Re: Remote Desktop Users and Least User Rights
    ... user accounts (no administrative rights on the local machine). ... have many users that are setup so that they can access their ... from the Administrators group, the list of authorized remote users ... Remote tab> Select Remote Users) gets wiped out. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Running applications with administrative privileges
    ... individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... If this does prove to be the case, however, you're often left with three options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), explicitly grant normal users elevated privileges to the affected folders and/or partor the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP. ... If you still have a problem with running the program or saving settings on limited accounts, you may need to change permissions on the registry keys. ...
    (microsoft.public.windowsxp.security_admin)
  • [NGSEC-2004-7] NtRegmon, local system denial of service.
    ... NtRegmon is a Registry monitoring utility that will show you which applications ... For its task NtRegmon hooks some kernel mode funtions for ... While any privileged user is using NtRegmon, ...
    (NT-Bugtraq)
  • [Full-Disclosure] [NGSEC-2004-7] NtRegmon, local system denial of service.
    ... NtRegmon is a Registry monitoring utility that will show you which applications ... For its task NtRegmon hooks some kernel mode funtions for ... While any privileged user is using NtRegmon, ...
    (Full-Disclosure)