Re: Running Programs with Elevated Privileges

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/08/04 

Date: Mon, 08 Mar 2004 22:56:33 GMT

You could either try adding the domain users account to the local power users group
on the domain computer where they need extra permissions or look into applying the
compatws.inf template witch will give a user the same ntfs and registry permissions
as a power user without the extra rights such as creating shares. Making a user a
local power user or administrator does not give them any more power in the domain,
but it makes it a lot easier for them to mess up their computers such as installing
unauthorized software. Ideally you would want to modify ntfs/registry permissions so
that a regular user could run the applications and free third party tools such as
Regmon and Filemom from SysInternals [which needs to be invoked with runas/admin
credentials while logged on as a regular user just before trying to run the
application] could help you possibly track down those permissions needed, but from
what you describe it may not work in your case because of all that the application
does. --- Steve

"Jeff Smyrski" <jsmyrski@bankofutica.com> wrote in message
news:8e7c01c40515$c4501050$a401280a@phx.gbl...
> I am looking for a way to allow several programs run with
> elevated privileges. For example, a certain software
> company has written a program that calls several other
> custom programs. In all of this the main program itself
> installs and uninstalls DCOM objects, and also configures
> hardware programatically such as a COM port for a Serial
> Printer. This is causing an issue, and the suggested
> solution is to open the security up for these users to
> run the program by making them Power Users locally, but
> since they log into a domain, it would mean giving them
> more privileges on the domain than they should have. The
> program runs accross the domain in a shared location on a
> server build for the core programs to run from.
>
> I am looking for a way to simply create either a GPO or
> script to alter the permissions for these programs to run
> with elevated privileges, kind of like a RUN AS feature,
> but with out manual intervention. Any suggestions would
> be very useful. Thanks.
>
> Jeff Smyrski -
> TechNet Plus Subscriber.

Relevant Pages

  • RE: Client Permissions
    ... I checked user permissions on individual client ... For power users, they have been granted ... >> Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to change message store location in Outlook Express
    ... If you never had read/write permissions then how were your messages being saved ... to give Power Users full permission to make required changes. ... when I try to change the message store to an empty ...
    (microsoft.public.win2000.general)
  • Re: Sharepoint Security - Help!!!!!
    ... When they did the migration from one server to another it went from Standard ... differnt sharepoint document libraries that we have in our internal company ... permissions as to who could look in them. ... "power users" when I deleted them from being a member of this sercurity group ...
    (microsoft.public.windows.server.sbs)
  • System permissions and printer forms - serious design flaw in Win2K security?
    ... Only power users and system administrators can create printer forms. ... local user account to have either power user or administrator rights ... Does anyone know how the various permissions implicit in group ...
    (microsoft.public.win2000.security)
  • Re: Deny Permission for Internet Explorer
    ... If an administrator wanted stricter control of access to the computer's ... Users, Power Users, and Administrators. ... are used to assign permissions. ...
    (microsoft.public.win2000.security)