Re: Running a program with elevated privilages

tony houlihan wrote:
I understand that under windows 2000 the EPAL.exe program could be used to run a program which required a higher level of privilages than that of the logged in user but is this program usable under server 2003.

In addition to this does anyone know a better way of addressing this situation:

company with 20 client computers and 20 users. A legacy application is needed on all clients with all users using roaming profiles needing access to the program. The legacy app requires the user to have Admin rights on the first log in and lauch of the application (presumably to modify the HKEY\Local Users\ somthing key registry section), obviously this presents a headache for installation and administration..............

If I were you I'd find out what the program is trying to do that causes it to fail as a normal user. If it's trying to add a registry key as you have suggested, then you could perhaps push out the correct values via a Group Policy instead of running the program elevated.

Perhaps the program needs to be able to write to some files in its program folder, in which case you could relax filesystem permissions on the particular files that it uses.

In my opinion, it's better to relax the security on a couple of files or registry keys (depending on what they are, of course) than to run the whole program with admin rights.

Regmon and Filemon are invaluable tools for these situations:

http://www.microsoft.com/technet/sysinternals/default.mspx


--
Chris.
.

Relevant Pages

  • Re: Running a program with elevated privilages
    ... You just need to create an msi package for it, ... you can keep admin rights restricted. ... If it's trying to add a registry key as you ... in which case you could relax filesystem permissions on ...
    (microsoft.public.windows.server.security)
  • Re: Running a program with elevated privilages
    ... If it's trying to add a registry key as you have suggested, then you could perhaps push out the correct values via a Group Policy instead of running the program elevated. ... Perhaps the program needs to be able to write to some files in its program folder, in which case you could relax filesystem permissions on the particular files that it uses. ... In my opinion, it's better to relax the security on a couple of files or registry keys than to run the whole program with admin rights. ...
    (microsoft.public.windows.server.security)
  • Re: Security
    ... "George Hester" said ... The user did have admin rights that was signed on at the ... The GPO was not 'violated'. ... Use ACL's on the registry key. ...
    (microsoft.public.win2000.group_policy)
  • Re: remotely connecting to registry
    ... >go to that machine and as a local administrator open ... >permissions on that registry key. ... >> Administrator on the local computer with admin rights ... >> The user on the local computer with admin rights. ...
    (microsoft.public.windowsxp.security_admin)
  • registry change HKCU
    ... I have written a registry key that works for HKCU if you have admin rights ... How can I push this out to users with out admin rights or how do ...
    (microsoft.public.scripting.wsh)