Re: Administrator rights for legacy appliations

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Will G (wgrever_at_crcm.edu)
Date: 08/09/04 

Date: Mon, 9 Aug 2004 09:33:31 -0400

Putting the users in the PowerUser group was the first thing I tried, but it
was to no avail.
I was out of the office Friday and all weekend, but I hope to try the
FileMon and RegMon utilities today or tomorrow.
I will report back to the list on how it goes.

Will

"Feng Mao" <fengmao@online.microsoft.com> wrote in message
news:B2pO4Y6eEHA.2380@cpmsftngxa06.phx.gbl...
> Hi Will,
>
> Thank you for posting!
>
> I am not sure why these applications have to be run under administrator
> privilege. They need read/write Registry keys/System files or need run
> services. If it is the case, personally, I agree with Vera's suggestion.
Or
> you can add these users to Power Users group, and add Power Users group to
> have the permission to access the registry key or system files.
>
> Please understand that Administrators group has much more powers than
> accessing Registry keys or system files.
>
> Have a nice day!
>
> Thanks & Regards,
>
> Feng Mao [MSFT], MCSE
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>
> --------------------
> | Subject: Re: Administrator rights for legacy appliations
> | From: "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>
> | References: <#pssRcveEHA.708@TK2MSFTNGP09.phx.gbl>
> | Message-ID: <Xns953CDEA9D4C95veranoesthemutforsse@207.46.248.16>
> | User-Agent: Xnews/5.04.25
> | Newsgroups: microsoft.public.windows.terminal_services
> | Date: Thu, 05 Aug 2004 12:53:18 -0700
> | NNTP-Posting-Host: md4691df5.utfors.se 212.105.29.245
> | Lines: 1
> | Path:
>
cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
> phx.gbl
> | Xref: cpmsftngxa06.phx.gbl
> microsoft.public.windows.terminal_services:16042
> | X-Tomcat-NG: microsoft.public.windows.terminal_services
> |
> | I would download FileMon and RegMon from
> | http://www.sysinternals.com/. Run them as administrator, start
> | a TS session as a normal user and try to run the application.
> |
> | FileMon and RegMon will show you all "access denied" errors
> | that occur, so that you can give your users the necessary
> | permissions on a file-to file or Registry subkey basis.
> |
> | Even if you manage to have users run the application without
> | making them Administrators, you still have a security problem,
> | since you actually are using your DC as a multiple-user
> | workstation. I would try to purchase a second server as soon as
> | possible, and make that a dedicated TS (as a member server in your
> | domain).
> |
> | --
> | Vera Noest
> | MCSE, CCEA, Microsoft MVP - Terminal Server
> | http://hem.fyristorg.com/vera/IT
> | --- please respond in newsgroup, NOT by private email ---
> |
> | "Will G" <wgrever@crcm.edu> wrote in
> | news:#pssRcveEHA.708@TK2MSFTNGP09.phx.gbl:
> |
> | > I am running W2K3 standard srever with Terminal Services in
> | > application mode and this box is the only server in the forest /
> | > domain / enterprise (my AD lingo is not what it should be) any
> | > way, it is the only serer so it is also the one and only domain
> | > controler.
> | >
> | > My problem is that I have several applicatons on the server
> | > that require
> | > the user to have admin rights in order for the applicatoin to
> | > function properly. I do not want to give full admin right to
> | > the users when they log on to a TS session to run these
> | > applications, but I have been unable to come up with any other
> | > solution. My impression is that these applications are doing
> | > something in the registry, but I am not sure.
> | >
> | > Is there a way to have a TS session with the user having
> | > Administrator
> | > rights of the session but not local Admin rights on the server
> | > itself? And would this solve my problem?
> | >
> | > Thank you,
> | > Technet alias: wgrever@crcm.edu
> |
>

Relevant Pages

  • Re: Page file and VM problems
    ... Click the View tab. ... Click to clear the Hide protected operating system files check box. ... Click Administrators, click Add, and then click OK. ... This automatically selects the other check boxes. ...
    (microsoft.public.windowsxp.general)
  • RE: RESPONSE: Users "bypassing" Group Policy restrictions
    ... The owner of a file/reg key can change its permissions. ... This security setting determines which users can take ownership of any ... What if he removes local 'Administrators' group from having this right ... permissions to the registry key which applies ...
    (Focus-Microsoft)
  • Re: Problems with winexit.exe and "power users"
    ... the solution is to set appropriate permissions for the registry key discussed in that article. ... administrator then copy our administrator profile over our default user ... power users group is logged on, winexit fails when it attempts to log them ...
    (microsoft.public.windowsxp.customize)
  • Re: Problems with winexit.exe and "power users"
    ... In order for non-administrators to be able to use WinExit, you must add Set Value and Create Subkey permissions for the group Everyone on the registry key: ... > power users group is logged on, winexit fails when it attempts to log them ...
    (microsoft.public.windowsxp.customize)
  • Re: Problems with winexit.exe and "power users"
    ... the solution is to set appropriate permissions for the registry key ... >> administrator then copy our administrator profile over our default user ... >> power users group is logged on, winexit fails when it attempts to log them ... >> Error encountered while creating registry key. ...
    (microsoft.public.windowsxp.customize)