Re: Windows 2003 Users vs Software
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: Fri, 25 Feb 2005 18:06:07 -0700
The message that you see when trying to run those applications
as a limited user, to effect, "the software has not been installed
correctly" is a correct message. In fact, the software is not
capable of installing itself correctly.
There are quite a few companies that still have not lifted their
eyes above the DOS/Win9x days. You need to not just ask for
their support but to let them know that they have sold you flawed
software that does not respect the requirements of software that
is designed for Windows (the logo specification).
You voice, added to that of others, is the only thing that will
push these vendors into creating/selling "modern" software.
OK, so what else can you do besides telling them that the next
purchase is guided by the made for Windows logo being on the
The one route you explored, making the users' domain accounts
members of the machine local Administrators group is one way,
but consider it a last resort. Also, you may need to look for some
Restricted Group definitions in the GPOs in AD judging from
what you have said.
Many such illbehaved software can be cured by granting the
Users group Modify permissions on the directory to which the
software installed, like c:\program files\vendorapplication
If that is insufficent then the application when running may be
trying to create temporary files somewhere else where the
Users group does not (and should not) have permission to do
so. The other major reason for failure is that the application
is trying to write into the registry, likely somewhere like
HKLM\Software\Vendorname\Applicationname, a location
to which limited user do not and should not have write granted.
So, one can try granting this in the registry to just that vendor's
keys for the application, but if it does not help remove the grant.
There are two tools , fileman and regmon, thay you may get
at www.sysinternals.com that are a great help in locating where
an application is trying to write and being denied. To use these,
log in as an admin, start the apps and configure the capture filters
to watch the limited account you will use to run the application.
Then, start the capture and use runas to start the application as
that limited user. As soon as the application has failed, stop
the capture and examine it for the failures indicating where you
could try granting Users group higher permissions.
That said, there are some software that just plain cannot be
made to work. It is too DOSish. However, if the application
did work for a non-admin in Windows 2000 then the above
will likely resolve your problems.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Marilyne" <Marilyne@discussions.microsoft.com> wrote in message news:7015D463-CEC6-4EE5-89E5-835934C810C1@microsoft.com... > I am managing a network using 16 workstations sharing files on a Windows 2003 > server. The users do not have rights to install programs. All users have > Office 2003; however, each workstation has additional software that is > specific to their business specialty. There is only one software package > running off the server. My problem is when I install some software packages > they do not work for the user using standard user rights. > > I have consulted other network techs regarding the problem and followed > various suggestions none of these ideas worked. It appears the server is > over-riding something in the software registry. Therefore the software will > not initiate once the user has standard user rights to the machine. If I get > an error it usually says the software was not installed properly. Once I > change the users rights to "Administrator" the software works. > > I've tried changing the machine user rights so that the user has > administrative rights to his/her machine but as soon as they login with their > standard user login created for the domain, the server over rides the rights > and the software will not work. > > There are three software packages that are giving me this conflict. One is > an engineering software, one is a form software and the other is a software > that initiates the vinyl cutter. I have called the software vendors and they > give me no technical advice. They don't know what would cause this conflict. > I am looking forward to hearing some good advice. > > It has been suggested to me that I give the user administrative rights and > give up. This means the user has access to payroll and account records the > administration does not want public. If there is a way to give the users > administrative rights and limit their access to specific folders. I am > willing to make that adjustment. > -- > Marilyne