Re: Windows 2003 Users vs Software

From: Roger Abell (
Date: 02/26/05

Date: Fri, 25 Feb 2005 18:06:07 -0700

The message that you see when trying to run those applications
as a limited user, to effect, "the software has not been installed
correctly" is a correct message. In fact, the software is not
capable of installing itself correctly.
There are quite a few companies that still have not lifted their
eyes above the DOS/Win9x days. You need to not just ask for
their support but to let them know that they have sold you flawed
software that does not respect the requirements of software that
is designed for Windows (the logo specification).
You voice, added to that of others, is the only thing that will
push these vendors into creating/selling "modern" software.

OK, so what else can you do besides telling them that the next
purchase is guided by the made for Windows logo being on the

The one route you explored, making the users' domain accounts
members of the machine local Administrators group is one way,
but consider it a last resort. Also, you may need to look for some
Restricted Group definitions in the GPOs in AD judging from
what you have said.

Many such illbehaved software can be cured by granting the
Users group Modify permissions on the directory to which the
software installed, like c:\program files\vendorapplication
If that is insufficent then the application when running may be
trying to create temporary files somewhere else where the
Users group does not (and should not) have permission to do
so. The other major reason for failure is that the application
is trying to write into the registry, likely somewhere like
HKLM\Software\Vendorname\Applicationname, a location
to which limited user do not and should not have write granted.
So, one can try granting this in the registry to just that vendor's
keys for the application, but if it does not help remove the grant.
There are two tools , fileman and regmon, thay you may get
at that are a great help in locating where
an application is trying to write and being denied. To use these,
log in as an admin, start the apps and configure the capture filters
to watch the limited account you will use to run the application.
Then, start the capture and use runas to start the application as
that limited user. As soon as the application has failed, stop
the capture and examine it for the failures indicating where you
could try granting Users group higher permissions.

That said, there are some software that just plain cannot be
made to work. It is too DOSish. However, if the application
did work for a non-admin in Windows 2000 then the above
will likely resolve your problems.

Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Marilyne" <> wrote in message
> I am managing a network using 16 workstations sharing files on a Windows
> server.  The users do not have rights to install programs.  All users have
> Office 2003; however, each workstation has additional software that is
> specific to their business specialty.  There is only one software package
> running off the server.  My problem is when I install some software
> they do not work for the user using standard user rights.
> I have consulted other network techs regarding the problem and followed
> various suggestions none of these ideas worked.  It appears the server is
> over-riding something in the software registry.  Therefore the software
> not initiate once the user has standard user rights to the machine.  If I
> an error it usually says the software was not installed properly. Once I
> change the users rights to "Administrator" the software works.
> I've tried changing the machine user rights so that the user has
> administrative rights to his/her machine but as soon as they login with
> standard user login created for the domain, the server over rides the
> and the software will not work.
> There are three software packages that are giving me this conflict.  One
> an engineering software, one is a form software and the other is a
> that initiates the vinyl cutter.  I have called the software vendors and
> give me no technical advice.  They don't know what would cause this
>  I am looking forward to hearing some good advice.
> It has been suggested to me that I give the user administrative rights and
> give up.  This means the user has access to payroll and account records
> administration does not want public.  If there is a way to give the users
> administrative rights and limit their access to specific folders.  I am
> willing to make that adjustment.
> -- 
> Marilyne

Relevant Pages

  • access rights of new users lost after cloning
    ... to eas my work of preparing them for our users, i choose to install only one system with win xp pro and all software, and made a system image with acronis. ... following effect occures on both tries: ... but when i'm adding a new local user or i'm trying to loggin as domain-user i dont have any rights with them. ... as a work-around i tried to give administrative rights to this new accounts. ...
  • Re: Key loggers - do they alarm you?
    ... Shortcut to it for them. ... Install it again, or just not use that Program & use a different ... Or give the Limited User Full Administrative ... Rights, to Install the Program & then Switch the Rights (of that ...
  • RE: Confused about group Policies and Rights
    ... Thank you for posting in SBS newsgroup. ... You said "users still appear to have administrative rights. ... install new programs, add users etc.", it is about their local rights. ...
  • Windows 2003 - User Logins vs Software
    ... The users do not have rights to install programs. ... running off the server. ... administrative rights and still limit their access to specific folders. ...
  • Re: Windows 2003 Users vs Software
    ... The users do not have rights to install programs. ... >running off the server. ... >administrative rights to his/her machine but as soon as they login with their ...