Re: Limit administrators permissions

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 12/02/04 

Date: Thu, 2 Dec 2004 13:06:43 -0500

Evan wrote:
> One of the main applications that we have on the XP SP2
> image is Hummingbird DM 5 and it needs the user to be
> local admin, otherwise it does not install the Office
> 2003 integration bits.

You say install, but do you mean every single time you run it it needs to
install something? If not, why not temporarily grant the user local admin
rights, install what's needed, and revoke rights?

Does the app developer have a new version or workaround? I would complain up
a storm about this - it's simply bad programming.

> It writes to HKLM etc etc.

Can't you change the permissions on the keys?
Have you tried FileMon and RegMon from www.sysinternals.com?

> Bad app
> but we have no choice. So that's why we need users to have
> local administrator access. Believe me, we tried have it
> the other way but it delayed our project to much.
>
> I would expect users not to know how to give themselve the
> rights again. So if you have any ideas on how to do it I
> would greatly appreciate them.

You cannot expect to limit an administrator, really.
>
> Thanks
> Evan
>
>> -----Original Message-----
>> Not sure you can. Anything you do to lock them down would have to be
>> done as administrator. They have administrator rights to the
>> computer and they can reverse what ever you just did.
>>
>> You might try this link to see if the app will work when logged in
>> as a user instead of admin:
>> http://www.microsoft.com/windowsxp/using/helpandsupport/le
>> arnmore/tips/danie ls1.mspx
>>
>> You might also see if they make a version compatible with XP.
>>
>>
>> hth
>> DDS W 2k MVP MCSE
>>
>> "Evan" <anonymous@discussions.microsoft.com> wrote in message
>> news:081b01c4d887$b37d89b0$a301280a@phx.gbl...
>>> Hi,
>>>
>>> In our company all users on XP are local administrators on
>>> their workstations to allow all the legacy apps to
>>> function.
>>>
>>> I would like to restrict the administrators group rights
>>> on the workstation and more importantly prevent users from
>>> accessing other users local profiles in Documents and
>>> Settings. How would I go about doing that?
>>>
>>> Any help would be greatly appreciated.
>>>
>>> Thanks.
>>> Evan
>>
>>
>> .

Relevant Pages

  • Re: Rights and Policies
    ... ones that already exist from before the client PC was joined to the domain, ... Administrator account, and install the application. ... Then have the user with regular non-admin rights ...
    (microsoft.public.windows.server.sbs)
  • Re: Rights and Policies
    ... you would log onto the client PC with either the Local or Domain ... Administrator account, and install the application. ... Then have the user with regular non-admin rights log ...
    (microsoft.public.windows.server.sbs)
  • Re: Rights and Policies
    ... ones that already exist from before the client PC was joined to the domain, ... Administrator account, and install the application. ... Then have the user with regular non-admin rights ...
    (microsoft.public.windows.server.sbs)
  • Re: Local Administrator Account & Corporate Network
    ... > are using Administrator permissions on our workstation. ... Very few applications truly need full administrative rights to ... to install things frequently - that is a whole different story. ... The google products do not need to have admin rights to run. ...
    (microsoft.public.windowsxp.general)
  • Re: Must all users be administrators?
    ... The familiar look of the AD objects tree you see in Group Policy Editor is ... This seems modestly confusing to an SBS Administrator because there's very ... those rights happen to be nearly unlimited. ... sit a workstation logged on as the Local Administrator, by default, there ...
    (microsoft.public.windows.server.sbs)
Loading