Re: Problems running programs when users have restricted local permissions

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 04/04/03 

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Fri, 4 Apr 2003 05:33:14 -0700

There are very many apps that do not follow XP design
criteria. The most direct approach is "hunt and loosen"

Usually an app needs grant to Users of Modify on some
part within its install location (in Program Files).
Sometimes an app will be trying to use temp space in
a different location, or will be trying to persist user
specific info in the registry in a non-User specific area
(such as its main install keys). These two cases are
most easily solved with the regmon and filemon tools
from www.sysinternals.com which will assist you in
locating exactly where you need to grant elevated
permissions to the Users group. 

-- 
Roger Abell
MS MVP (Security, Windows), MCDBA,  MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
"tech" <tech@diavik.com> wrote in message news:063c01c2fa2c$53265000$3301280a@phx.gbl...
> We are trying to lock down our systems so users can't 
> change any local settings or install software on their 
> computers.
> 
> The problme we have run into with this is that there are 
> certain programs that will not run unless the user hass 
> at least Power User permissions.  One of these programs 
> is Microsoft Photo Editor which is part of Office 2000.  
> Al other Office programs run after being installed under 
> Admin permissions then changing the user back to 
> Restricted.
> 
> Does anyone now how to get around this?  It defeats the 
> purpose of having different security levels if you must 
> be a local administrator to run Microsoft programs.

Relevant Pages

  • Re: More before-the-fact advice for 2K and XP?
    ... neither ActiveX nor BHO require Admin permissions to ... given that non-admins have a significant amount of control over ... "Would you like to install the ... With executable white listing, the app doesn't just ...
    (microsoft.public.security)
  • Re: XP and the I875 ( IC7-G in this case)
    ... There is a way to provide drivers that are newer than ... when XP shipped into the install, but it is not a cake-walk. ... if the account in use does not have permissions ... >>greyed in the app and unable to make the change directly ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Design Guidelines for Non-Power Users?
    ... Non-Power Users and Admins will not be able to install your app. ... You can get whatever this folder happens to be by ... If they don't have write permissions, ...
    (microsoft.public.vb.winapi)
  • Re: Design Guidelines for Non-Power Users?
    ... Non-Power Users and Admins will not be able to install your app. ... You can get whatever this folder happens to be by ... If they don't have write permissions, ...
    (microsoft.public.vb.general.discussion)
  • Re: ClickOnce Nightmares
    ... your app need to install the settings. ... LAN) you could create a logon script that will automatically install the ... DownloadOptions options, ServerInformation& serverInformation) ... FileAccess access, Boolean asyncHint) ...
    (microsoft.public.dotnet.framework)