Re: Deny Interactive Logon but Allow Runas

Ben added these comments in the current discussion du jour ...

HP,

The software is a piece of IBM software, and it would be nice
if the software were less flaky, or if there were a 3rd part
alternative, I've suggested this on a number of occasions.
However we're an IBM business partner, and tied in to using
the specific piece of software in question.

You'll have to forgive my denseness, then. If you really are an
IBM Business Partner, why don't you ask THEM why whatever this
top-secret app does that makes it "flaky" and have them either
fix it or replace it.

I don't personally use the software, but I've been told by the
guys that do, that occasionally an install can become
'corrupt' and needs re-installing. I don't know how true this
is, the user who told me isn't the greatest end user. The
users may also need to install a fix-pack, which you have to
be an admin to install. One of the problems is they may go to
a site, and find the client has version 6 of the software,
with fix pack 2, so they need to get the install on their
laptop to the same level as the client, this way any
'modeling' you do is guaranteed to work. But the next day they
might go on another site and find the client running v5.3 with
fix pack 6.

Once installed correctly, without error, and running, absent HD
or memory problems perhaps, software seldom gets "corrupt".
Again, there are exceptions to any rule here, but SW doesn't need
to have its oil and filter replaced, it just runs unless/until a
bug appears, a Registry key gets corruped - which DOES happen
even on well-behaved and stable apps, or some other anomoly
occurs. I understand that you don't use this apparent POS but you
do support it. Perhaps you should delve deeper into this yourself
and save both personal grief and grief for your internal
customers who cannot work.

We've tried virtualisation, running VMware, and giving the
users local admin rights to the virtual machine, which they
can then install and uninstall until their hearts content,
however, this bit of software is so memory hungry, that you
have to have at least 4gb of RAM installed, with minimum 2gb
dedicated to the VM to be able to run it anywhere smoothly
enough to be able to work on it.

This paragraph makes no sense whatsoever. What is
"virtualisation" anyway? Do you mean that it pages to
pagefile.sys too much? As to memory, I believe you said you're
running XP Pro SP2? Is it 32 or 64-bit? If the former, 4 gig is
all you can install, and the top gig isn't normally addressable
by SW or even Windows. Again, if your secret app is really so bad
yet somehow indespensible, I cannot understand why you've not
beaten on on its developer.

What I'd 'like' is to say users can't install ANY software
except this, this and this. I don't know whether software
restriction policies would be a workable option, maybe we
could add the install files hash or something..

I'm not very familiar with user-specific restrictions except the
obvious via accounts and perhaps restricting certain security
rights for given files. But, even if you could stop your users
from installing SW, how would that help you? Are you saying that
your users are incorrectly installing new apps or mangling older
ones, and that is what is causing your "flaky" app to hiccup?

It isn't that I want to beat up on you personally, but even if I
were able to help technically, perhaps by some judicious reading
or from prior personal experience, you simply haven't given any
facts that would point to suggested fixes. It's your business to
reveal what is really going on here or keep it confidential, but
you're asking a peer-to-peer user help NG to diagnose a problem
with no knowledge as to the app is, other things going on with
the systems having "flaky" problems, whether you've checked their
HW, etc. And, is it even remotely possible that malware may be
the cause?

Ben

"HEMI-Powered" <none@xxxxxxx> wrote in message
news:Xns99D8657CCA8AEReplyScoreID@xxxxxxxxxxxxxxxx
Ben added these comments in the current discussion du jour
...

Hi,

We have a number of consultants who use a piece of very
flaky software, which some times requires

you don't say what this is, but have you considered getting
something un-flaky? unless this is very old legacy software
and there is no newer version, or it is custom-written, or
the like, you may have a problem but if you provide some
hints as to what your users really want to do, maybe somebody
could give you an intelligent suggestion.

uninstalling/re-installing, or having fix-packs installed.
As our users don't have local admin rights they usually have
to come to the IT department, and we put them in a kind of
'maintenance mode' so they can perform the necessary tasks,
this is just basically a group that is a member of the local
admins group. When in the office this isn't a problem.
However, if they are out on site, and they need to
reinstall, this causes problems.

One solution would be to put them 'maintenance mode/local
admin group' for the entire time they are on a client site,
but obviously this opens a number of security holes.

Another solution would be to create a secondary user that
does have local admin rights, and to use this with the runas
command to uninstall/re-install, or perform other admin
tasks.

However, I know our users, once they know the username &
password, they will try to login as this user, as its easier
than having to keep using runas, which then opens the same
security holes as putting their standard users in the local
admin group.

Is there someway of allowing a user to logon using runas,
but deny the interactive logon? I've tried enabling 'Deny
log on locally' via GP, but this also denies the user Runas.

Or is there a 3rd way of doing this, that I'm missing? Our
users need to be able to do certain admin functions, such as
re-install software, when on a clients site, to perform
their job properly, however, we don't want them running in
admin mode all the time.

Ben

P.S We're running Windows XP SP2, on a Win 2003 R2 Domain

You list some rather bizarre and difficult to implement
alternatives but again, wouldn't getting more stable software
be more appropriate?

--
HP, aka Jerry






--
HP, aka Jerry
.

Relevant Pages

  • Re: Permissions on Event Log?
    ... I can do alot worse things as non-admin app. ... You could have an admin install, but then the user may need to log off the ... I can create my own log file without admin privileges. ...
    (microsoft.public.dotnet.security)
  • Re: Limit administrators permissions
    ... > local admin, otherwise it does not install the Office ... I'm not the least bit familiar with Hummingbird 5, ... If not I think your best bet would be to contact the maker of the app. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Trouble Launching Apps
    ... The application can only be run by the user admin - no other users, ... regardless if they also installed the app, ... installation, and WHILE THE SERVER IS STILL IN INSTALL MODE. ...
    (microsoft.public.windows.terminal_services)
  • Re: Assigning software via Group Policy
    ... Start out with Admin ... just delete the app and let it reinstall. ... and a pristine system to stage the install. ... I'm also preparing to help some of our customers implement ...
    (microsoft.public.cert.exam.mcse)
  • RE: Office tries to repair/reinstall
    ... Giving admin rights to everyone is not the solution. ... The file association issue should be also related to the Office 2007 installation. ... I will check the registry and install windows installer. ...
    (microsoft.public.office.setup)