Re: RunAS Command & Limited Accounts
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/18/04
- Next message: Chris: "Security Auditing XP Home Edition - Not Working"
- Previous message: Roger Abell: "Re: Script Add/Remove Administrative Templates for LGPO"
- In reply to: Bill: "Re: RunAS Command & Limited Accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Mar 2004 21:52:57 -0700
A few such applications actually have a hard-coded check in
them for Administrator or Administrators group membership.
Most applications however are only missing
1. write access in their install dir (such as for your log file, or
for temp scratch files)
2. write access to the reg entries of the application (persisting
data incorrectly outside of the user's area)
3. write access to other filesystem area's (looking for d:\temp, or
trying to alter the application's ini file in the windows dir)
Worse come to worse, one can download regmon and filemon
free utilities from the great guys at www.sysinternals.com and
locate where the access failure is happening.
Correcting the application's environment so that it runs without
admin privs is far, far superior to using any of the methods that
attempt to hide RunAs credentials.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Bill" <bmatthews@rmcl.org> wrote in message news:c46c01c40c69$10870500$a601280a@phx.gbl... > Fritz, > > Thanks for the suggestion, however it's more than just the > log file as I found out that needs read / write access > given for the user. Also, I would perfer not to have the > administrator user / pass sitting in a batch file for all > to see / obtain. Is there any way to change the > permissioning on this program or it's directory to allow > the limited account to have read/write/execute rights to > the directory? I think that would work. > >-----Original Message----- > >You have at least two options (that I can think of right > away) here - either > >modify the permissions on the log file to give the > limited user write access > >to it or write a batch script that runs the application > using the "runas" > >command. > > > >"Bill Matthews" <bmatthews@rmcl.org> wrote in message > >news:a7a701c40c5d$d00c37d0$a001280a@phx.gbl... > >> Hey Folks, > >> > >> I have several IBM ThinkPad Laptops that we just got all > >> running Windows XP Professional. These Laptops have > >> limited accounts setup for all their primary users, as > to > >> not allow to mess with any of the system settings. > >> However, their primary use is a piece of clinical > software > >> which won't run properly outside of an Administrator > >> account on any of the Laptops. It needs to append to a > log > >> file on every run, which the limited account doesn't > have > >> access to. > >> > >> However, I can use the 'run as' command to run said > >> program as Administrator or any other admin account > which > >> is on the machine, it just doesn't save the setting. Is > >> there any way to tell an application to always run > itself > >> under an administrator's account, no matter who is > logged > >> onto the laptop? There's only 3 accounts on the laptops > in > >> question 2 administrator accounts (1 the > >> default 'Administrator) & 1 limited account for the > >> computers user. All I need the Laptop to do is run this > >> one program as Administrator or the other admin account > >> under the limited account. Any advice? I could use help > >> ASAP. Thanks! > >> > >> -Bill > > > > > >. > >
- Next message: Chris: "Security Auditing XP Home Edition - Not Working"
- Previous message: Roger Abell: "Re: Script Add/Remove Administrative Templates for LGPO"
- In reply to: Bill: "Re: RunAS Command & Limited Accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
