Solved

Administrative rights

Posted on 2002-06-18
13
158 Views
Last Modified: 2010-04-13
I'm looking for an automated way to open up rights on all of our workstations to allow installing of programs.  The only thing I'd like to block is the installation of drivers, but it is not that important.

I still need them to have no such rights if they log into a server.

I've messed around with the GPO, but cannot find a series of settings that'll let all programs install.  (MS Project, Palm Software, etc. as examples.)


Any help out there?
0
Comment
Question by:bmullins
  • 5
  • 3
  • 3
  • +1
13 Comments
 
LVL 2

Expert Comment

by:Acrklor
ID: 7090772
On the workstation: make the user to members of the default group "power user", this should do it. (For detailed informations about the rights of these users look into the win2k documentation.)

On the server: create users like the ones on the workstations and give them lower rights (such as the normal "user" group), however, i would deny them to login local on the server.

Hope this helps
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 200 total points
ID: 7090959
See jsiinc.com

3292 » Allow users to always install with System privileges. Administrator priv

 Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:

 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer
-------------

I hope this helps !
0
 

Author Comment

by:bmullins
ID: 7091518
Acrklor:  These are domain accounts.  Will creating them locally overide the domain settings?


SysExpert:  Will your method only work on programs that use the Windows Installer?  What happens to legacy programs?


0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7091534
It should probably work with any program that has some sorf of *.inf file.
It may also work with anything trying to make a registry change.

I would read up on this in technet.

0
 
LVL 7

Expert Comment

by:jatcan
ID: 7092299
Or, if you really trust them, add their usernames to the local admin group, not the domain admin group. Then they can do whatever they like on thier local machines, but have no domain admin rights...
0
 
LVL 2

Expert Comment

by:Acrklor
ID: 7093166
As jatcan wrote, there is a differents between local rights and domain rights. (I thought without domains, sorry for a bit confusion.)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:bmullins
ID: 7093731
is there anyway to automate creating the local user?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7094252
The default user is used as a template for all new user accounts.
If you set it up the way you want , then all new users will inherit the basic setup from that.

You need to do more reading on the subject. There are plenty of guides and how-to's

How to information for IT people IT solutions

http://www.microsoft.com/windows2000/techinfo/whatsnew/default.asp


http://www.microsoft.com/windows2000/default.asp
http://www.microsoft.com/windows2000/library/planning/pds-cnwsdtoc.asp
http://www.microsoft.com/ISN/deployment.asp

I hope this helps !
0
 
LVL 7

Expert Comment

by:jatcan
ID: 7095465
Well, every machine already has a local admin account. And every local admin account already has a password. If this local admin password is generic(from an image) and no-one has (if they have permission) changed their generic password, then you MAY be able to use SMS to do this, or a login script(hafta look for the CLI to do this myself-if their is one?-anybody else know?)But, if you have a bunch of machines with different local admin passwords then, even if it can be done, you will have to write a script for every machine on the network, whats the use of that, may as well access the machine directly and do it yourself...the user for domain.local admin should be the same and also the passwords should be kept synched...gonna be a lot of research on something I am not even suire CAN be done using Native NT tools...how many machines do you have to do this with? Are these machines already installed? IF so, DO they have generic admin username/passwords (IE-they all have "Administrator" for user name and say ... oh I don't know, "123456" for the password)?
0
 
LVL 7

Expert Comment

by:jatcan
ID: 7095815
I think SysExpert has either hit it on the head or come very close...see, in order to do it my way, you would have to logon as admin first (in order to be able to addusers) and their is just way to much scripting involved and no certyainty that it will even be workable. This is what I found on MS:

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/sag_Wininstall_Group_Policy_Computers.asp

So, run gpedit.msc

browse to the following keys:

1.) Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Installer

on the right side pane enable "Always Install With Elevated Priveleges" and checked the nox that says "Check to force the setting on;Uncheck to force the setting off."

2.)Local Computer Policy\User Configuration\Administrative Templates\Windows Components\Windows installer

on the right side pane enable "Always Install With Elevated Priveleges" and checked the nox that says "Check to force the setting on;Uncheck to force the setting off."

You MUST perform the action on BOTH the Computer and the USER or it won't work.

Cheers.
0
 
LVL 7

Expert Comment

by:jatcan
ID: 7095822
Here is the directions from Microsoft as stated within the link in my last post:

Always install with elevated privileges:

If you disable this policy, or do not configure it, the system applies the current user's permissions when it installs programs that are not distributed or offered by an administrator.

 Note:

This policy appears in both the Computer Configuration and User Configuration folders. To make this policy effective, you must enable the policy in both folders.
 
Cheers.
0
 

Author Comment

by:bmullins
ID: 7097584
200 points for sysexpert for the answer

200 point for jatcan for clarity

gracias.

(jatcan, ur point will be a new q)
0
 
LVL 7

Expert Comment

by:jatcan
ID: 7098472
Geez, thanks. That was totally unexpected.

Cheers.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now