Re: Try to prevent installs

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 01/19/04 

Date: Mon, 19 Jan 2004 22:49:02 -0000

Hi there

I would challenge your first statement and rephrase it as "I have an
application that won't run when the user is logged in as a ordinary user.
Since I don't know what the program is trying to do that causing it to fail,
I resort to making the users members of the Power Users group".

Does that sound more like it? The notion of a restricted administrator or a
restricted power user is really a false one. Oh, and the definition of a
power user? An administrator who hasn't made himself an administrator yet.

Anyway, what you need to do is to find out what the program is doing that it
shouldn't be. Some useful tools here are FileMon and RegMon from
www.sysinternals.com. Install and run these programs and then run the
poorly-written application.

The problem is almost certain to be either file permissions or registry
permissions. Once you've found the files, directories or registry keys that
the program is trying to write to, loosen the permissions on them.

You can use regedt32.exe (note, no "i") for registry permissions (and
Explorer, obviously, for file permissions).

Group Policy also has facilities for changing registry permissions and file
permissions. Otherwise, you can script file permission changes using
cacls.exe (built in) and registry permission changes using regini.exe and
several other (and, frankly, better) tools.

Hope this helps

Oli

"WP" <anonymous@discussions.microsoft.com> wrote in message
news:07df01c3dea6$19e45e40$a501280a@phx.gbl...
> We have workstations that need a global group in the power
> users local group. 3/4 of the users are in this group to
> run 1 certain app. how can i lock down the machines to
> prevent these users from installing applications on the
> local workstation.
> TIA
> WP

Relevant Pages

  • Re: Default Directory and File Permissions
    ... > the default Dir.and File permissions. ... > I am testing security on my server and need to know what defaults ... Also anything on registry permissions as well. ...
    (microsoft.public.win2000.security)
  • Re: "Send as" and SBS Domain Power User
    ... We can "Send as" the normal domain user by using the domain power user ... You can remove the power user from the Account Operator group or deny the ... To deny user "Send as" permissions for power user: ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Power User Vs. Admin
    ... An administrator is all powerful on the computer while a power user has ... application can be made to work if the user has the necessary permissions to ... the user that cause the application to fail and often these failures can ...
    (microsoft.public.windows.server.security)
  • Re: Printers showing up for all users - how to fix?
    ... Post in one of the Windows server groups if you're having ... trouble figuring the required permissions out. ... run a couple of 3rd party apps that require power user privledge to ... Is there a way to set the global permissions for users to domain ...
    (microsoft.public.windows.terminal_services)
  • Re: CreateFile() returns ERROR_ACCESS_DENIED to the user
    ... grant permissions for power users on the device driver and then do a ... relogon with power user or there is some other place where the ... permissions can be granted? ... users cannot grant permissions to themselves, ...
    (microsoft.public.win32.programmer.kernel)