Re: Windows 2003 Users vs Software

From: Marilyne (Marilyne_at_discussions.microsoft.com)
Date: 02/26/05 

Date: Sat, 26 Feb 2005 04:47:03 -0800

Thank you so much! This really sounds like I've got the RIGHT ADVICE. I
will try it ad let you know how it works!

"Roger Abell" wrote:

> I did try to indicate how to use these to find the problems,
> at the end of the last paragraph.
> You need to have both an admin and a limited account
> in use at the same time. You can log in as a limited
> account and then use RunAs to get the regmon and filemon
> ready within an admin account, and then run the problem
> applications, and then start the capture simultaneously with
> launching the problem application as the limited user, or
> you can log in as the admin and use RunAs to launch the
> problem application. In either case it is highly advantageous
> to configure the capture filters so that you snag only what is
> needed based on using a filtering for the limited account.
>
> RunAs should be available with a right-shift right-click
> into the context menu of the launcher for the application,
> or, from the commandline using syntax info obtained with
> runas /?
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Marilyne" <Marilyne@discussions.microsoft.com> wrote in message
> news:64465DD3-3CF1-49D8-89FE-3EE048DBF712@microsoft.com...
> > Thank you!
> >
> > I did download both filemon and regmon. I found several references to the
> > software. I copied the references; however, when I tried to run the
> software
> > to get the errors, I could not run it in the user login because they
> didn't
> > have the security rights. I can run the software as administrator on the
> > same machine but my question is how to I find the registry errors that
> came
> > up for that software when it was in user mode.
> >
> > I was confused enough to hire someone to come in and try to decifer it for
> > me; however, he didn't seem to know what he was looking for either. I
> will
> > complain to the manufacturer because this is a major vendor and the
> software
> > is very expensive; however, the company didn't have any problems running
> it
> > on Windows 98.
> >
> > Can you suggest some tricks I can use with regmon or filemon?
> >
> > "Roger Abell" wrote:
> >
> > > The message that you see when trying to run those applications
> > > as a limited user, to effect, "the software has not been installed
> > > correctly" is a correct message. In fact, the software is not
> > > capable of installing itself correctly.
> > > There are quite a few companies that still have not lifted their
> > > eyes above the DOS/Win9x days. You need to not just ask for
> > > their support but to let them know that they have sold you flawed
> > > software that does not respect the requirements of software that
> > > is designed for Windows (the logo specification).
> > > You voice, added to that of others, is the only thing that will
> > > push these vendors into creating/selling "modern" software.
> > >
> > > OK, so what else can you do besides telling them that the next
> > > purchase is guided by the made for Windows logo being on the
> > > software?
> > >
> > > The one route you explored, making the users' domain accounts
> > > members of the machine local Administrators group is one way,
> > > but consider it a last resort. Also, you may need to look for some
> > > Restricted Group definitions in the GPOs in AD judging from
> > > what you have said.
> > >
> > > Many such illbehaved software can be cured by granting the
> > > Users group Modify permissions on the directory to which the
> > > software installed, like c:\program files\vendorapplication
> > > If that is insufficent then the application when running may be
> > > trying to create temporary files somewhere else where the
> > > Users group does not (and should not) have permission to do
> > > so. The other major reason for failure is that the application
> > > is trying to write into the registry, likely somewhere like
> > > HKLM\Software\Vendorname\Applicationname, a location
> > > to which limited user do not and should not have write granted.
> > > So, one can try granting this in the registry to just that vendor's
> > > keys for the application, but if it does not help remove the grant.
> > > There are two tools , fileman and regmon, thay you may get
> > > at www.sysinternals.com that are a great help in locating where
> > > an application is trying to write and being denied. To use these,
> > > log in as an admin, start the apps and configure the capture filters
> > > to watch the limited account you will use to run the application.
> > > Then, start the capture and use runas to start the application as
> > > that limited user. As soon as the application has failed, stop
> > > the capture and examine it for the failures indicating where you
> > > could try granting Users group higher permissions.
> > >
> > > That said, there are some software that just plain cannot be
> > > made to work. It is too DOSish. However, if the application
> > > did work for a non-admin in Windows 2000 then the above
> > > will likely resolve your problems.
> > >
> > > --
> > > Roger Abell
> > > Microsoft MVP (Windows Security)
> > > MCSE (W2k3,W2k,Nt4) MCDBA
> > > "Marilyne" <Marilyne@discussions.microsoft.com> wrote in message
> > > news:7015D463-CEC6-4EE5-89E5-835934C810C1@microsoft.com...
> > > > I am managing a network using 16 workstations sharing files on a
> Windows
> > > 2003
> > > > server. The users do not have rights to install programs. All users
> have
> > > > Office 2003; however, each workstation has additional software that is
> > > > specific to their business specialty. There is only one software
> package
> > > > running off the server. My problem is when I install some software
> > > packages
> > > > they do not work for the user using standard user rights.
> > > >
> > > > I have consulted other network techs regarding the problem and
> followed
> > > > various suggestions none of these ideas worked. It appears the server
> is
> > > > over-riding something in the software registry. Therefore the
> software
> > > will
> > > > not initiate once the user has standard user rights to the machine.
> If I
> > > get
> > > > an error it usually says the software was not installed properly. Once
> I
> > > > change the users rights to "Administrator" the software works.
> > > >
> > > > I've tried changing the machine user rights so that the user has
> > > > administrative rights to his/her machine but as soon as they login
> with
> > > their
> > > > standard user login created for the domain, the server over rides the
> > > rights
> > > > and the software will not work.
> > > >
> > > > There are three software packages that are giving me this conflict.
> One
> > > is
> > > > an engineering software, one is a form software and the other is a
> > > software
> > > > that initiates the vinyl cutter. I have called the software vendors
> and
> > > they
> > > > give me no technical advice. They don't know what would cause this
> > > conflict.
> > > > I am looking forward to hearing some good advice.
> > > >
> > > > It has been suggested to me that I give the user administrative rights
> and
> > > > give up. This means the user has access to payroll and account
> records
> > > the
> > > > administration does not want public. If there is a way to give the
> users
> > > > administrative rights and limit their access to specific folders. I
> am
> > > > willing to make that adjustment.
> > > > --
> > > > Marilyne
> > >
> > >
> > >
>
>
>