A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

xp pro, granting domain user access to local resources?



 
 
Thread Tools Display Modes
  #1  
Old February 21st 08, 05:40 PM posted to microsoft.public.windowsxp.security_admin
geek-y-guy
external usenet poster
 
Posts: 7
Default xp pro, granting domain user access to local resources?

Hi All: I have an SBS2003 domain with a number of xppro sp2 clients. All the
computers are members of the domain, and I've set up domain users for each
computer.

I have a USB scanner installed on one computer, and when a user logs on to
the local machine, they can access the scanner, but if they log on using the
domain account, they get an error when the scanner application tries to load
the (presumably) USB drivers for the scanner.

It seems like a local security policy issue, but I can't figure out what
privileges the domain user needs to have the same access the local account
has?

--



Ads
  #2  
Old February 21st 08, 05:42 PM posted to microsoft.public.windowsxp.security_admin
Lanwench [MVP - Exchange]
external usenet poster
 
Posts: 1,547
Default xp pro, granting domain user access to local resources?

geek-y-guy wrote:
Hi All: I have an SBS2003 domain with a number of xppro sp2 clients.
All the computers are members of the domain, and I've set up domain
users for each computer.

I have a USB scanner installed on one computer, and when a user logs
on to the local machine, they can access the scanner, but if they log
on using the domain account, they get an error when the scanner
application tries to load the (presumably) USB drivers for the
scanner.
It seems like a local security policy issue, but I can't figure out
what privileges the domain user needs to have the same access the
local account has?


If the scanner is installed already, this is unlikely to be a driver issue.
More likely, the software you're using is expecting the user to have
administrative rights on the workstation in order to run the app.

First, I'd contact the software developer and ask for a workaround which
does *not* involve granting domain users admin rights - this is sloppy code,
and they need to fix it.

If you get nowhere with them, try downloading Process Monitor from Microsoft
(a cool Sysinternals tool) that will help you find out what areas of the
file system & registry the app expects to write to, so you can manually
edit/correct it.


  #3  
Old February 21st 08, 06:00 PM posted to microsoft.public.windowsxp.security_admin
geek-y-guy
external usenet poster
 
Posts: 7
Default xp pro, granting domain user access to local resources?

Thanks for the quick reply. This is an older Plustek scanner and I don't
expect the manufacturer will provide any updates for it. And yes, the
default user account locally has Admin rights, so you probably nailed it.

I don't have any issues granting the domain user admin rights on the
workstation, unless it opens up other vulnerabilities beyond them breaking
something g.

Short of that, what would I need to manually edit to grant access? do you
mean granting the domain user appropriate access to specific folders they'd
normally not have access to?

Thanks again!

--

"Lanwench [MVP - Exchange]"
hoo.com wrote in message
...
geek-y-guy wrote:
Hi All: I have an SBS2003 domain with a number of xppro sp2 clients.
All the computers are members of the domain, and I've set up domain
users for each computer.

I have a USB scanner installed on one computer, and when a user logs
on to the local machine, they can access the scanner, but if they log
on using the domain account, they get an error when the scanner
application tries to load the (presumably) USB drivers for the
scanner.
It seems like a local security policy issue, but I can't figure out
what privileges the domain user needs to have the same access the
local account has?


If the scanner is installed already, this is unlikely to be a driver
issue. More likely, the software you're using is expecting the user to
have administrative rights on the workstation in order to run the app.

First, I'd contact the software developer and ask for a workaround which
does *not* involve granting domain users admin rights - this is sloppy
code, and they need to fix it.

If you get nowhere with them, try downloading Process Monitor from
Microsoft (a cool Sysinternals tool) that will help you find out what
areas of the file system & registry the app expects to write to, so you
can manually edit/correct it.



  #4  
Old February 22nd 08, 12:28 AM posted to microsoft.public.windowsxp.security_admin
Lanwench [MVP - Exchange]
external usenet poster
 
Posts: 1,547
Default xp pro, granting domain user access to local resources?

geek-y-guy wrote:
Thanks for the quick reply. This is an older Plustek scanner and I
don't expect the manufacturer will provide any updates for it.


OK - that's the hardware. Do you have to use that *software* for it?

And
yes, the default user account locally has Admin rights, so you
probably nailed it.


You can test this by adding the domain user to the local Administrators
group....

I don't have any issues granting the domain user admin rights on the
workstation, unless it opens up other vulnerabilities beyond them
breaking something g.


Ain't that enough for you? Malware infestation can take a long long time to
clean up, as well as cause problems on the network. :-)

Short of that, what would I need to manually edit to grant access? do
you mean granting the domain user appropriate access to specific
folders they'd normally not have access to?


Yep - and registry keys. Do check out the Sysinternals tool. It's a good
thing to know how to use. Log in as the non-admin user, then launch the
Sysinternals tool using RunAs & providing valid local admin credentials.
Play with it a bit.

Thanks again!


"Lanwench [MVP - Exchange]"
hoo.com wrote in
message ...
geek-y-guy wrote:
Hi All: I have an SBS2003 domain with a number of xppro sp2 clients.
All the computers are members of the domain, and I've set up domain
users for each computer.

I have a USB scanner installed on one computer, and when a user logs
on to the local machine, they can access the scanner, but if they
log on using the domain account, they get an error when the scanner
application tries to load the (presumably) USB drivers for the
scanner.
It seems like a local security policy issue, but I can't figure out
what privileges the domain user needs to have the same access the
local account has?


If the scanner is installed already, this is unlikely to be a driver
issue. More likely, the software you're using is expecting the user
to have administrative rights on the workstation in order to run the
app. First, I'd contact the software developer and ask for a workaround
which does *not* involve granting domain users admin rights - this
is sloppy code, and they need to fix it.

If you get nowhere with them, try downloading Process Monitor from
Microsoft (a cool Sysinternals tool) that will help you find out what
areas of the file system & registry the app expects to write to, so
you can manually edit/correct it.




  #5  
Old February 22nd 08, 03:50 AM posted to microsoft.public.windowsxp.security_admin
Bruce Chambers
external usenet poster
 
Posts: 6,208
Default xp pro, granting domain user access to local resources?

geek-y-guy wrote:
Hi All: I have an SBS2003 domain with a number of xppro sp2 clients. All the
computers are members of the domain, and I've set up domain users for each
computer.

I have a USB scanner installed on one computer, and when a user logs on to
the local machine, they can access the scanner, but if they log on using the
domain account, they get an error when the scanner application tries to load
the (presumably) USB drivers for the scanner.

It seems like a local security policy issue, but I can't figure out what
privileges the domain user needs to have the same access the local account
has?



You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default...;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving settings
on limited accounts, you may need to change permissions on the registry
keys. Run regedit.exe and go to HKLM\Software\vendor\app, where
"vendor\app" is the key that the software vendor used for your specific
program. Change the permissions on this key to allow Users full control."


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
  #6  
Old February 22nd 08, 10:19 PM posted to microsoft.public.windowsxp.security_admin
geek-y-guy
external usenet poster
 
Posts: 7
Default xp pro, granting domain user access to local resources?

Thanks Bruce and Lanwench...that was all great info!

--

"Bruce Chambers" wrote in message
...
geek-y-guy wrote:
Hi All: I have an SBS2003 domain with a number of xppro sp2 clients. All
the computers are members of the domain, and I've set up domain users for
each computer.

I have a USB scanner installed on one computer, and when a user logs on
to the local machine, they can access the scanner, but if they log on
using the domain account, they get an error when the scanner application
tries to load the (presumably) USB drivers for the scanner.

It seems like a local security policy issue, but I can't figure out what
privileges the domain user needs to have the same access the local
account has?



You may experience some problems if the software was designed for
Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
designed. Quite simply, the application doesn't "know" how to handle
individual user profiles with differing security permissions levels, or
the application is designed to make to make changes to "off-limits"
sections of the Windows registry or protected Windows system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts of
the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to the
affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default...;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which is
the default.

C:\cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving settings on
limited accounts, you may need to change permissions on the registry keys.
Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is
the key that the software vendor used for your specific program. Change
the permissions on this key to allow Users full control."


--

Bruce Chambers

Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html

http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand
Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot



 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 04:56 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.