Thread: Windows 2003 - User Logins vs Software
View Single Post
  #3  
Old February 25th 05, 10:37 PM
Chris Priede
external usenet poster
  
Posts: n/a
Default Windows 2003 - User Logins vs Software
Hi,

Marilyne wrote:
We have recently installed a Windows 2003 domain server. Our
workstations are running Windows XP Professional. [...] Some of the
software will not work unless the user has administrative
rights to the server.

The mention of the server leads me to suspect you might not realize that you
can also grant a specific user local admin rights, on their particular
workstation only. To do it remotely (from the server): log on as a domain
admin, open "Active Directory Users and Computers", locate the workstation
computer object, right click and choose "Manage". Computer Management
snap-in will open for the workstation. Add the user's domain account to the
"Administrators" group under "Local users and Groups".

This only grants the user administrator priviles to that specific
workstation, which is something you should try to avoid if you can -- but it
is much less of a security compromise than handing out domain admin
privileges.

I have two software packages that will not work and one Vinyl
cutter (printer) that will not work unless the workstation is logged
on with administrative access.

Sadly, this is not uncommon -- especially with limited market,
industry-specific applications (which tend to be poorly designed to begin
with and even more poorly maintained after).

Your options include:

1) Get better software. This could mean a different product, or perhaps a
newer version (if there is one and if it addresses the privilege issues).

2) Live with giving users local admin. Before you concede to that, try the
local "Power User" group -- it's a step between ordinary user and admin, and
it may suffice.

3) Tweak it. In most cases, the culprit software is only trying to write to
files and registry locations that have inherited prohibitive default
permissions. This could be data files under the installation directory,
..ini files under Windows directory, registry keys in the HKLM hive, and so
forth.

You can change the permissions on these items to allow ordinary users to
modify them and your software will be happy. With some effort and an
understanding of NTFS security and auditing, it is usually possible to get
it to work.

Unfortunately, you will have to work out what permissions are needed and
where, individually for each program. Sometimes the vendor will have
documented it in response to complaints from other users before you (it's
worth your time to call and ask), but more often than not they will just say
"use an admin account" and you will have to solve it on your own.

--
Chris Priede )
Ads