Re: current user rights

From: Steven L Umbach (
Date: 07/05/05

Date: Tue, 5 Jul 2005 14:44:29 -0500

Apparently the problem is that the users security token does not contain his
membership in the administrators group yet. The user would have to logoff
and logon or use something like "runas" to temporarily elevate the users
rights to execute a file but that would require that the user know admin
credentials or you use a third party runas type utility that can encode user
credentials such as the one from Joeware. You can give a user additional
user rights in the Local Security Policy [secpol.msc] of the server without
making him an administrator. Whether or not there is a user right that is
sufficient for your needs, I don't know offhand. You can use the support
tool whoami while logged on as that user to see information about the
current access session token. --- Steve -- link to Cpau from Joeware
 --- whoami

"mkv" <> wrote in message
> Hi everybody.
> i've got a question about current user rights and access.
> one of our client has a situation when highly restricted users on the TS
> 2003
> in some cases has to have an ability to modify HKEY_CURRENT_USER\Software
> and register one dll (third party application).
> an user logon script depends on situation initiates another script (via
> runas) which actually makes current user (CU) a member of local admins
> group.
> So now CU is should be able to complete all action but in reality current
> session still has to access
> to any resource like CU isn't member of local admins group and this is the
> question - why Cu still have no rights to modify registry or register dll?
> is there any similar to "gpupdate.exe /force" command to refresh CURRENT
> Thanks for helpful response.
> mkv
> P.S.
> at the end of a logon script we remove user from a local admins group so
> all
> limitations are recovered.
> and one more thing - since this is not our environment please do not
> advise
> to change security and user rights on AD level.