[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now



Posted on 2005-04-12
Medium Priority
Last Modified: 2010-04-10
Hi There

I have posted a similar question to this before and i am having the same problem, here it is...

If i install windows xp onto a new client machine, login as the administrator and install all the necessary apps and things that he may need, all works fine.

After all that, i grant that user admin rights to his pc creating his name with admin. priv to the local machine..

I then logoff and login with his name and all seems to be fine.  If i click on a specific app it gives me and error or a series of errors, but when i hold in shit and right click, i select "ran as" type in the domain account "administrator" and password then it runs fine.  

I cannot give the users that password "what could be wrong?" I have a system policy in place which prevents the users from installing/removing apps and playing with settings, could this be that cause, what can i do to correct it?
Question by:hitechauto

Expert Comment

ID: 13760356
You have not given enough info for us to be able to understand really what happens but generally if you install a program under another user name the program will sometimes try to create default settings at first start of a new user. Still if you really have given local admin to the user he has all rights possible on the local machine, therefore did you check if the app tries to update something on the server?
LVL 10

Expert Comment

ID: 13760621
You need to apply a security template to the workstation to make sure legacy programs/applications work.

Compatible: Compatws.inf

The Compatible template opens up the default permissions for the Local Users group so that legacy programs are more likely to run. This configuration is not considered a secure environment.


This link has everything you need to setup this either on your domain or locally using the "Security Configuration and Analysis"  MMC snapin.....
LVL 10

Expert Comment

ID: 13760635
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

LVL 12

Expert Comment

ID: 13760781
I don't get you.

Why not install it all with the users admin account and be done with it?

As for the programs not working. Sounds like the applications got installed for the user. Not for all users.

Lastly giving your user an adminaccount will provide him the means to crack your account. Why on earth would you give him an admin account??? You can give him some admin proviledges. But not all. Big risk and will get you a lot more corrective work seeing they can break more.


Author Comment

ID: 13760791
Hi round the problem


H_KEY Local machine, software, policies, microsoft, windows, installer

There is en entry there called "EnableAdminTSRemote" when the value ="1" it will always request "Admin Priv" unless logged in as an administrator.  I reset the value to "0" and it works fine.

Microsoft never seems to amaze me!

Thanks for the input

LVL 10

Expert Comment

ID: 13761004
The work-around to the problem you posted is for admins installing apps from a TS session?

If you follow the steps I have outlined and you will have a resolution that works.  

Accepted Solution

Wallsy earned 1500 total points
ID: 13761699
It sounds to me like your policies are interfering with the default behaviour of the applications. If the apps are MSI based then everytime a new user logs on it will run the MSI again to install the new user's settings (if there are any).

Usually the two approaches are to either open the whole machine up (and let users install/uninstall apps themselves) or lock the machine down and use a deployment system like SMS to handle software deployment.

Probably the easiest way to achieve what you want is to install the applications as the user, and then lock their account down, with either policy or user rights changes.

I do agree with kneh though - the users shouldn't need admin rights!


LVL 11

Expert Comment

ID: 13764487
Ok ... My guess is the application is not compatible with a multi user environment. It's as simple as that.
I would say there's an easy way to solve this ... I was thinking about running through a batch using the "runas" command ... but you still must input the password each time. Unless you know something about programming and hardcode the password in the program itself ... then you that program, would call the target one using a similar process as runas and using the hardcoded password and admin username ...


Expert Comment

ID: 13765364
The problem is actually as simple as profiles.  The application was installed as admin, so the admin profile may have specific application settings.  The best thing to try is follow these steps:

()  Create a second admin account on the workstation
()  Log in as the second admin account
()  Copy the Default User profile folder for backup purposes
()  Using the Profile Manager (Properties of My Computer/ Advanced Tab/ User Profiles Settings button)
()  Copy the original administratort profile to the Default User profile
()  Assign the Everyone group permission to the profile.
()  Log in as a user that has not logged into the workstation before
()  Test apps.

Hope that helps!

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question