[Webinar] Streamline your web hosting managementRegister Today


Win 2000 security not liking application

Posted on 2003-03-10
Medium Priority
Last Modified: 2010-04-11
hey, quick question:

i set up a 2k network in a classroom at my school, 2k server and 2kpro workstations. i am having difficulties running applicaitons in any user other than administrator, leaving me no other option other than to set the student accounts as admin so the apps may be used. as you can imagine this causes alot of hastle. i have tried installing the apps on a network drive, but with 35 machines, that is more drive space than i have and, there has to be a better way.
 i have some security in place on the workstations. i dont allow access to the C:\ drive in the GP and deny all access besides list directory on each workstation. the programs are all installed in a directory with full control for everyone so i dont think the denial of access to C would affect them much.

is there a way to run just the application as an administrator? i know you can do it and enter your password every time, but that isnt practical for this application.

Thanks in advance for yor help

Question by:PyroPhin

Expert Comment

ID: 8104823
Unfortunatly some applications require admin rights.  If you had them sign on and off at least you would have a record if someone scrued something up.  

Expert Comment

ID: 8105243
DENY takes precidence over ALLOW... so by explicitly denying "everyone" access, there is no way they will have access.  If you dont want them to have access to a file, just make sure the user accounts they are using are not listed in the security properties, nor any of the groups they belong too, this includes the "everyone" group.  

Hope this helps.

Expert Comment

ID: 8111191
PowerUsers can do a lot, I have not run into many app's that can't be run as an PowerUser. Setup's and install's do need admin rights, especially if they need to modify the registry. RunAs can give you admin rights, below are two links you should read. By holding Shift and right-clicking an Icon you'll see the RunAs in the list of options. Type in your username/pass and domain (unless you have a local account you'll be using) then click ok. RunAs can also be run from the cmd line.

PowerUser's are able to install Program updates like those from a virus program, like mcafee or norton.
There aren't many trivial things that they can't do. Most of the big stuff like installs, and registry modification's are minimum.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!


Expert Comment

ID: 8111284
And WinXPFixR is right- you may be being too strict. Or if your remove the everyone- be sure to add the users that are using that app, no matter what group they'd be in. That should save you some headache- also a little premptive note- do not remove the SYSTEM account from the drive where your Pagefile.sys file resides- that account is needed to properly create the page file.

Expert Comment

ID: 8113577
  I agree with WinXpFixr.  you don't want to explicity Deny access to C.  What I suggest is make sure your students have read and execute on C:\  Also, give your users limited accounts on the workstations (or It will be easier for you to install the active directory and have a domain inside your classroom then set all your users to domain users that way they may have local acocunts on each machine without administrator access).
   I hope that helps.
LVL 12

Accepted Solution

trywaredk earned 150 total points
ID: 8150715
PYROPHIN... Some applications require membership of Local Power Users, some applications require membership of Local admin group.

This problem is increasing, and You are totally right, when saying "leaving me no other option other than to set the student accounts as admin so the apps may be used. as you can imagine this causes alot of hastle."

But it does'nt matter that You "have some security in place on the workstations. i dont allow access to the C:\ drive in the GP and deny all access besides list directory on each workstation."

Because being member of the local admin group means what it says. Users can do anything the like with anything on the hard disc.

But You have another problem, so PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain Group membership to the Local Admin Group, everyone being member gets unlimited REMOTE access power of all simular workstations on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)



You have to add the Domain User Group to the Local Admin Group on BOTH test-workstations, and logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!

Many Regards

Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open.

Expert Comment

ID: 8188433

As an IT consulting firm, we have had the exact same problem with Payroll software, Accounting software, Tax programs, etc. at virtually every one of our clients. It seems that none of the programmers of these products grasps the concept of locked-down workstations, as when we talk to them they reply "just give them Admin rights".

We finally got fed up and created a product that solves the problem. <Edited by SpideyMod>

Expert Comment

ID: 8220598
Promoting your company or it's products is against the membership agreement (http://www.experts-exchange.com/jsp/infoMemberAgreement.jsp ).  I have edited your comments.  At this point I need you to re-read the membership agreement and indicate that you understand within 72 hours.  Failing that, I have an obligation to turn your account over to site administration for review.

Community Support Moderator @Experts Exchange

Expert Comment

ID: 8241990
The 'mantra' of locked-downed workstation security is: give them permission to do what they need to do, and no more. You really can create a liveable, workable world by making this your dogma.

I agree that denying file access to everything is likely to cause more than its share of problems, but thankfully  Win 2000 and XP systems give you a reasonable set of permissions to start with. (BTW, you can reset the perms with the Security Templates--I'd suggest "securews" for your environment, but "setup security" is okay, too.)

Here's a time-honored trick I've used and taught a thousand times. This is the 'quick version', so let me know if you want to know more:

1.) Get the free programs 'FileMon' and 'RegMon' from www.sysinternals.com

2.) Login as an unprivileged user, the use the 'runas' command to start the FileMon and RegMon programs

3.) Now run the program you're trying to fix--when you get the error(s), stop the monitoring programs and save the results

4.) Open the filemon.log and regmon.log in Excel and use features like "AutoFilter" to drill down to the "ACCESS DENIED" messages that the program is getting

5.) Open up permissions for CHANGE only to the files and/or Registry keys which got the access denied

6.) Now try it again... If you get more errors, you'll probably have to repeat the above steps until you get all the permissions ironed out.

7.) Don't forget to document what you found, and maybe make a script to fix the permissions 'cause someday you're sure to need them again!

Good luck!  ~ewall

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get the source code for a fully functional Access application shell with several popular security features that Access VBA application developers desire, but find difficult or impossible to figure out how to code. You get the source code for managi…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question