If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
User rights problem (Least Privilege)
Hi All,
I am managing a small network with Windows 2003 as DC and XP as clients. Some of my applications does not run under normal user account, is there any way to give permission to applications instead of adding users to power user or admin group. Some 3rd party tools are available but i m looking for builtin option in windows xp or through 2003 GP. Kind Regards |
Ads |
#2
|
|||
|
|||
User rights problem (Least Privilege)
You can try the RunAs commnand. This works for some programs, but not all.
If you do need to make your users Administrators, be careful you don't inadvertently give them Administrator rights to the server too, it's very easily done. Create a domain group which has local-machine Admin rights (but not domain-admin rights) and add them to that. |
#3
|
|||
|
|||
User rights problem (Least Privilege)
Thanks for your reply,
For temp. solution i added Domain Users group into Power User group and application works well, but by doing this user get extra rights for eg. they can share folders and change system time etc. The best possible solution is to gave rights to application instead of user. There are some 3rd party tools which offers this service but i am looking for builtin windows feature . Looking for positive response. "Ian" wrote: You can try the RunAs commnand. This works for some programs, but not all. If you do need to make your users Administrators, be careful you don't inadvertently give them Administrator rights to the server too, it's very easily done. Create a domain group which has local-machine Admin rights (but not domain-admin rights) and add them to that. |
#4
|
|||
|
|||
User rights problem (Least Privilege)
Ahmed wrote:
Hi All, I am managing a small network with Windows 2003 as DC and XP as clients. Some of my applications does not run under normal user account, is there any way to give permission to applications instead of adding users to power user or admin group. Some 3rd party tools are available but i m looking for builtin option in windows xp or through 2003 GP. You may experience some problems if the software was designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly designed. Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. For example, saved data are often stored in a sub-folder under the application's folder within C:\Program Files - a place where no inexperienced or limited user should ever have write permissions. It may even be that the software requires "write" access to parts of the registry or protected systems folders/files that are not normally accessible to regular users. (This *won't* occur if the application is properly written.) If this does prove to be the case, however, you're often left with three options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), explicitly grant normal users elevated privileges to the affected folders and/or part(s) or the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP. Some Programs Do Not Work If You Log On from Limited Account http://support.microsoft.com/default...;EN-US;q307091 Additionally, here are a couple of tips suggested, in a reply to a different post, by MS-MVP Kent W. England: "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. C:\cacls "Program Files\appfolder" /e /t /p users:c where "appfolder" is the folder where the application is installed. If you wish to undo these changes, then run C:\cacls "Program Files\appfolder" /e /t /p users:r If you still have a problem with running the program or saving settings on limited accounts, you may need to change permissions on the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is the key that the software vendor used for your specific program. Change the permissions on this key to allow Users full control." -- Bruce Chambers Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH |
#5
|
|||
|
|||
User rights problem (Least Privilege)
Dear Bruce
After giving write permission to Users group on Windows folder the application runs smoothly. Thanks for your reply "Bruce Chambers" wrote: Ahmed wrote: Hi All, I am managing a small network with Windows 2003 as DC and XP as clients. Some of my applications does not run under normal user account, is there any way to give permission to applications instead of adding users to power user or admin group. Some 3rd party tools are available but i m looking for builtin option in windows xp or through 2003 GP. You may experience some problems if the software was designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly designed. Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. For example, saved data are often stored in a sub-folder under the application's folder within C:\Program Files - a place where no inexperienced or limited user should ever have write permissions. It may even be that the software requires "write" access to parts of the registry or protected systems folders/files that are not normally accessible to regular users. (This *won't* occur if the application is properly written.) If this does prove to be the case, however, you're often left with three options: Either grant the necessary users appropriate higher access privileges (either as Power Users or local administrators), explicitly grant normal users elevated privileges to the affected folders and/or part(s) or the registry, or replace the application with one that was properly designed specifically for WinNT/2K/XP. Some Programs Do Not Work If You Log On from Limited Account http://support.microsoft.com/default...;EN-US;q307091 Additionally, here are a couple of tips suggested, in a reply to a different post, by MS-MVP Kent W. England: "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files folder with "change" capability rather than "read" which is the default. C:\cacls "Program Files\appfolder" /e /t /p users:c where "appfolder" is the folder where the application is installed. If you wish to undo these changes, then run C:\cacls "Program Files\appfolder" /e /t /p users:r If you still have a problem with running the program or saving settings on limited accounts, you may need to change permissions on the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is the key that the software vendor used for your specific program. Change the permissions on this key to allow Users full control." -- Bruce Chambers Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows error message | Glo | The Basics | 46 | June 16th 10 09:09 PM |
user access rights problem | rose | Windows XP Help and Support | 6 | May 27th 05 10:27 PM |
Problem with Windows Explorer on XP-Pro/SP2 | Karl Jahr | Windows Service Pack 2 | 16 | March 22nd 05 03:57 AM |
Slow login problems | Trevor Williams | Networking and the Internet with Windows XP | 0 | March 17th 05 09:29 AM |
Windows Explorer crashes in XP-Pro/SP2 | Karl Jahr | Windows Service Pack 2 | 7 | January 5th 05 04:06 PM |