Re: Setting up security etc so Kids can play games...Need Help!!

From: Jim Cavalaris [MS] (jamesca@online.microsoft.com)
Date: 06/12/02 

From: "Jim Cavalaris [MS]" <jamesca@online.microsoft.com>
Date: Tue, 11 Jun 2002 17:29:10 -0700

this is usually caused by the incompatible program making
an incorrect assumption that users have all access to objects,
as they did under win9x. most commonly, the program is
trying to modify its own system-wide software settings in the
registry (HKLM\SOFTWARE), rather than use per-user
settings (HKCU\SOFTWARE).

assuming that's the case, a good way to track this down is
to enable auditing for access failures by users when running
the program.

this approach involves modifying machine policy, registry
permissions, and object audit entries, so it's not really for the
faint of heart, but it can help pinpoint the exact reason for the
failure, and allow you to target what objects you may need
to change the permissions on, which is usually preferable to
having to make all users Administrators just to run incompatible
programs.

as an Administrator, modify group policy to enable auditing
for object access (enabling auditing for failure should be sufficient,
and will reduce the number of acceses logged so you can browse
through the relevant ones more easily)...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315416#5

enable auditing for a set of registry keys you suspect the
program is trying to modify, but does not have access to...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315416#6

with regedit on windows xp, auditing a key is available by
selecting Edit --> Permissions for the key, (rather than
Security --> Permissions, as described above). again, it's
easiest and sufficient just to audit the access failures by
any member of the "Everyone" group. as long as the auditing
tab checkbox "Allow inheritable auditing entries ..." is checked,
you only need to do this on the parent of the subtree you want
to watch, not every key.

in most cases, the program is trying to modify system-wide
program settings somewhere in HKLM\SOFTWARE, which
only Admins can modify. if the program has a subkey under
HKLM\SOFTWARE,that's a good place to start. if you don't
see anything suspicious there, you may have to expand your
search to all of the SOFTWARE and/or SYSTEM branches.

log out of the Admin account, log in as the limited user.
run the program and encounter the failure. log out of the
limited user account and back into the Administrator account,
and view the audit entries in the eventlog (eventvwr.msc)
"Security" log to see what registry key/value accesses failed
for the limited user account.

modify security settings on the registry keys where failure
was encountered AS APPROPRIATE to grant the
appropriate access to the appropriate user group(s).
you shouldn't indiscriminately open up access to operating
system specific settings, since that would defeat the point of
running with limited accounts, and make the system
vulnerable.

remove the audit entries on the keys above, and disable
auditing when you're done.

if you suspect the failure is from a file access, rather than
registry access, you can also add audit entries on files and
directories, just as with registry keys.

if you suspect the failure is from lack of privilege, the group
policy editor also allows for auditing of privilege checks failures,
but in most cases, this should be rare.

hope this helps,
jim. 

--
This posting is provided "AS IS" with no warranties, and confers no rights.
"news1.sasknet.sk.ca" <internet@privacy.com> wrote in message news:#zZUciXECHA.2476@tkmsftngp02...
> I have set up my kids with limited user settings.  Some of the Educational
> software I install for them will not run unless I set them to Admin
> privilages, which is not an oiption, as my 2 year old can reek havik on My
> PC with that kind of power.  I have used the run AS but you must re-enter it
> when you want to use it.  I do not want to have to re-start software for my
> 2 year old every time he exits it by accident.
>
> How do I go about installing software for them and allowing them to run it,
> without changin their USER rights?
>
> Any info or direction would be greatly appreciated
>
> Thanks
>
> LB
>
>