Re: Admin right for station

From: Bruce Chambers (bchambers_at_cable0ne.n3t)
Date: 11/24/05 

Date: Thu, 24 Nov 2005 10:55:53 -0700

Crown Royal wrote:
> I would love to know how to give my users admin right to their own station.

        Simply add each users' domain account to the computer's local
Administrators group. (And then double the number of Help Desk and
desktop support technicians you currently employ - their workload is
about to sky-rocket.)

> The only thing that has worked for me is to go to the station and change the
> security settings on both the C drive and the registry.

        And how could that possibly be expected to confer administrative
privileges? Is there no one in your IT department that's ever worked
with WinNT, Win2K, or WinXP?

> They are logging on
> to a domain, so it's taking the domain user persmissions. I tried giving
> them administrator rights on their account, but I guess it doesn't mean local
> admin rights.

        You mean you're giving all of your users domain admin privileges? How
did you ever get hired to sabotage a network?

> Some sofware that they are running needs them to be
> adminstrators of their own station, ...

        Nonsense.

     You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

     For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

     It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

     Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."

> .... and going to each to edit the rights on
> the station is ridiculous.

        And unnecessary. Consider hiring a network administrator and a
technician or two who know something about managing a domain and its
workstations. 

-- 
Bruce Chambers
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
You can have peace. Or you can have freedom. Don't ever count on having 
both at once. - RAH

Relevant Pages

  • Re: Running applications with administrative privileges
    ... individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... If this does prove to be the case, however, you're often left with three options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), explicitly grant normal users elevated privileges to the affected folders and/or partor the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP. ... If you still have a problem with running the program or saving settings on limited accounts, you may need to change permissions on the registry keys. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Install for all users
    ... Any application that's been properly designed for use on Vista would either give the person performing the installation the option of making the application available to all users, or do so automatically, by default. ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. ...
    (microsoft.public.windows.vista.file_management)
  • Re: windows XP home
    ... how to handle individual user profiles, ... make changes to "off-limits" sections of the registry. ... Start Menu folder and Desktop folder shortcuts from the user profile ... limited accounts, you can fix it to allow limited users to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Running programs with Admin-Rights
    ... this software is running only with administative rights on the client. ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Child-proof computing...
    ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... If this does prove to be the case, however, you're often left with two options: Either explicitly grant normal users elevated privileges to the affected folders and/or partor the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. ...
    (microsoft.public.windowsxp.general)
Quantcast