PyroPhin
asked on
Win 2000 security not liking application
hey, quick question:
i set up a 2k network in a classroom at my school, 2k server and 2kpro workstations. i am having difficulties running applicaitons in any user other than administrator, leaving me no other option other than to set the student accounts as admin so the apps may be used. as you can imagine this causes alot of hastle. i have tried installing the apps on a network drive, but with 35 machines, that is more drive space than i have and, there has to be a better way.
i have some security in place on the workstations. i dont allow access to the C:\ drive in the GP and deny all access besides list directory on each workstation. the programs are all installed in a directory with full control for everyone so i dont think the denial of access to C would affect them much.
is there a way to run just the application as an administrator? i know you can do it and enter your password every time, but that isnt practical for this application.
Thanks in advance for yor help
~Dan
i set up a 2k network in a classroom at my school, 2k server and 2kpro workstations. i am having difficulties running applicaitons in any user other than administrator, leaving me no other option other than to set the student accounts as admin so the apps may be used. as you can imagine this causes alot of hastle. i have tried installing the apps on a network drive, but with 35 machines, that is more drive space than i have and, there has to be a better way.
i have some security in place on the workstations. i dont allow access to the C:\ drive in the GP and deny all access besides list directory on each workstation. the programs are all installed in a directory with full control for everyone so i dont think the denial of access to C would affect them much.
is there a way to run just the application as an administrator? i know you can do it and enter your password every time, but that isnt practical for this application.
Thanks in advance for yor help
~Dan
Unfortunatly some applications require admin rights. If you had them sign on and off at least you would have a record if someone scrued something up.
DENY takes precidence over ALLOW... so by explicitly denying "everyone" access, there is no way they will have access. If you dont want them to have access to a file, just make sure the user accounts they are using are not listed in the security properties, nor any of the groups they belong too, this includes the "everyone" group.
Hope this helps.
Hope this helps.
PowerUsers can do a lot, I have not run into many app's that can't be run as an PowerUser. Setup's and install's do need admin rights, especially if they need to modify the registry. RunAs can give you admin rights, below are two links you should read. By holding Shift and right-clicking an Icon you'll see the RunAs in the list of options. Type in your username/pass and domain (unless you have a local account you'll be using) then click ok. RunAs can also be run from the cmd line.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/runas.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/lsm_overview_01.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/lsm_local_groups.asp
PowerUser's are able to install Program updates like those from a virus program, like mcafee or norton.
There aren't many trivial things that they can't do. Most of the big stuff like installs, and registry modification's are minimum.
-NEO
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/runas.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/lsm_overview_01.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/lsm_local_groups.asp
PowerUser's are able to install Program updates like those from a virus program, like mcafee or norton.
There aren't many trivial things that they can't do. Most of the big stuff like installs, and registry modification's are minimum.
-NEO
And WinXPFixR is right- you may be being too strict. Or if your remove the everyone- be sure to add the users that are using that app, no matter what group they'd be in. That should save you some headache- also a little premptive note- do not remove the SYSTEM account from the drive where your Pagefile.sys file resides- that account is needed to properly create the page file.
GL
-NEO
GL
-NEO
I agree with WinXpFixr. you don't want to explicity Deny access to C. What I suggest is make sure your students have read and execute on C:\ Also, give your users limited accounts on the workstations (or It will be easier for you to install the active directory and have a domain inside your classroom then set all your users to domain users that way they may have local acocunts on each machine without administrator access).
I hope that helps.
I hope that helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
PyroPhin:
As an IT consulting firm, we have had the exact same problem with Payroll software, Accounting software, Tax programs, etc. at virtually every one of our clients. It seems that none of the programmers of these products grasps the concept of locked-down workstations, as when we talk to them they reply "just give them Admin rights".
We finally got fed up and created a product that solves the problem. <Edited by SpideyMod>
As an IT consulting firm, we have had the exact same problem with Payroll software, Accounting software, Tax programs, etc. at virtually every one of our clients. It seems that none of the programmers of these products grasps the concept of locked-down workstations, as when we talk to them they reply "just give them Admin rights".
We finally got fed up and created a product that solves the problem. <Edited by SpideyMod>
softwareplugins,
Promoting your company or it's products is against the membership agreement (https://www.experts-exchange.com/jsp/infoMemberAgreement.jsp ). I have edited your comments. At this point I need you to re-read the membership agreement and indicate that you understand within 72 hours. Failing that, I have an obligation to turn your account over to site administration for review.
SpideyMod
Community Support Moderator @Experts Exchange
Promoting your company or it's products is against the membership agreement (https://www.experts-exchange.com/jsp/infoMemberAgreement.jsp ). I have edited your comments. At this point I need you to re-read the membership agreement and indicate that you understand within 72 hours. Failing that, I have an obligation to turn your account over to site administration for review.
SpideyMod
Community Support Moderator @Experts Exchange
The 'mantra' of locked-downed workstation security is: give them permission to do what they need to do, and no more. You really can create a liveable, workable world by making this your dogma.
I agree that denying file access to everything is likely to cause more than its share of problems, but thankfully Win 2000 and XP systems give you a reasonable set of permissions to start with. (BTW, you can reset the perms with the Security Templates--I'd suggest "securews" for your environment, but "setup security" is okay, too.)
Here's a time-honored trick I've used and taught a thousand times. This is the 'quick version', so let me know if you want to know more:
1.) Get the free programs 'FileMon' and 'RegMon' from www.sysinternals.com
2.) Login as an unprivileged user, the use the 'runas' command to start the FileMon and RegMon programs
3.) Now run the program you're trying to fix--when you get the error(s), stop the monitoring programs and save the results
4.) Open the filemon.log and regmon.log in Excel and use features like "AutoFilter" to drill down to the "ACCESS DENIED" messages that the program is getting
5.) Open up permissions for CHANGE only to the files and/or Registry keys which got the access denied
6.) Now try it again... If you get more errors, you'll probably have to repeat the above steps until you get all the permissions ironed out.
7.) Don't forget to document what you found, and maybe make a script to fix the permissions 'cause someday you're sure to need them again!
Good luck! ~ewall
I agree that denying file access to everything is likely to cause more than its share of problems, but thankfully Win 2000 and XP systems give you a reasonable set of permissions to start with. (BTW, you can reset the perms with the Security Templates--I'd suggest "securews" for your environment, but "setup security" is okay, too.)
Here's a time-honored trick I've used and taught a thousand times. This is the 'quick version', so let me know if you want to know more:
1.) Get the free programs 'FileMon' and 'RegMon' from www.sysinternals.com
2.) Login as an unprivileged user, the use the 'runas' command to start the FileMon and RegMon programs
3.) Now run the program you're trying to fix--when you get the error(s), stop the monitoring programs and save the results
4.) Open the filemon.log and regmon.log in Excel and use features like "AutoFilter" to drill down to the "ACCESS DENIED" messages that the program is getting
5.) Open up permissions for CHANGE only to the files and/or Registry keys which got the access denied
6.) Now try it again... If you get more errors, you'll probably have to repeat the above steps until you get all the permissions ironed out.
7.) Don't forget to document what you found, and maybe make a script to fix the permissions 'cause someday you're sure to need them again!
Good luck! ~ewall