Solved

Non-Admin User access to write specific registry values

Posted on 2006-07-17
17
411 Views
Last Modified: 2008-01-09
I have an application that needs to be installed for a customer. The application attempts to write regisitry values when it launches.  Because the machine is on a restricted domain, the user's will never have admin access.  

How can I allow them to use the application and only write those registry values which I allow (assuming I have domain administrator access) ?
0
Comment
Question by:mmarksbury
  • 6
  • 5
  • 4
  • +2
17 Comments
 
LVL 24

Accepted Solution

by:
Kenneniah earned 500 total points
Comment Utility
Open regedit, browse to the registry key, right-click the key and hit Permissions. Set permissions as desired.
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
Comment Utility
The Elevated Privileges Application Launcher (EPAL) tool is designed to assist a fairly narrow spectrum of the application compatibility issues. With EPAL the network administrator now has the ability of only giving the user local user privileges on their systems and have the application execute and some higher privilege level on the local system that they are currently logged on with.

read more about it here:

http://www.netscum.dk/technet/prodtechnol/windows2000serv/downloads/epal.mspx

it also provides the download link.

Hope this helps


Carpe Diem
0
 
LVL 7

Expert Comment

by:puter_geek
Comment Utility
Hold down "SHIFT" and right click on the application and click on "Run As"  and it will prompt you for the uname and password.  type in a uname or password with authority and it will then allow you to install it.
0
 

Expert Comment

by:nickganga
Comment Utility
If you login as yourself (domain admin), on the local computer... go to the control panel and double click on users, you can then set up this customer as a power user or admin for that local computer only.

I would suggest to set him up as a power user, log him in and check to see if the program works, if it does then problem solved.

If not however try making him a local admin of that computer, Although i would only suggest that if it is not a shared computer.
0
 
LVL 7

Author Comment

by:mmarksbury
Comment Utility
It is a shared computer.  And the tricky part is that the application creates these registry keys in the HKEY_CURRENT_USER branch for each user that uses the application.
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
Comment Utility
didnt EPAL help you in this?
0
 
LVL 7

Author Comment

by:mmarksbury
Comment Utility
I want to use EPAL as a last resort.  I am not the Domain Admin, though I can gain administrator access to the machine.  WHat this means is that I don't have the luxury of creating another user by which this application will run as.  My network team might not be willing to allow this.
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
Comment Utility
i am not sure adding the user to "power user" group will help, but have you tried it anyway?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Author Comment

by:mmarksbury
Comment Utility
Our network team does not allow power users.  That is why I was looking for an alternate registry based (one time setting).
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
"And the tricky part is that the application creates these registry keys in the HKEY_CURRENT_USER"
If that's where it's trying to write, than it's not a registry permissions problem.
Every user by default should have Full Control of their own user registry.
0
 
LVL 7

Author Comment

by:mmarksbury
Comment Utility
A standard Domain User does not have permission to go in and start whacking away at their registry or creating keys.  If that was true, any user could install just about any application.
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
Hence what I said. A user DOES have Full Control to their user hive (HKEY_CURRENT_USER). They do NOT have Full control to HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, or HKEY_CURRENT_CONFIG and so forth. If the only only location your program writes to is in HKEY_CURRENT_USER, than yes, they do have Full Control.

Most programs need write access to certain folders on the hard drive, and to HKEY_LOCAL_MACHINE\Software, which is why they fail under Users.
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
Comment Utility
I would disagree with that statement  Kenneniah, the access rights to the registry can be restricted at user level. What ever is defined by the domain admin, the user has only that level of access to the system and applications. and if a domain admin has defined the network security well, a non-admin user can not change the settings defined to restrict him in the current_user hive. if a user could do that, it defeats the purpose of applying user restrictions in a network. HKLM sets system wide restrictions and HKCU sets user specific restrictions. a user's control over HKCU is only upto the point that he can do what the settings there allow the user to do, he cant go there and change it to suit his/her own needs. that basically is the job of setting restrictions on user thru the registry.
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
Open up Regedit while logged in as ANY user, right-click on HKEY_CURRENT_USER and hit Permissions. What permissions do you see given to the user account?
Yes those permissions can be changed, but BY DEFAULT (which is what I stated) the registry permissions on HKEY_CURRENT_USER give FULL CONTROL to that user account.
Certain keys such as HKEY_CURRENT_USER\Software\Policies have different permissions. But by far the vast majority of HKEY_CURRENT_USER has Full Control given to the user. And I seriously doubt the program in questin is needing to write to the policies key.
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
From http://www.kellys-korner-xp.com/xp_groups.htm

"Users cannot modify system wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows XP Professional programs that have been installed or deployed by administrators. Users have Full Control over all of their own data files (%userprofile%) and their own portion of the registry (HKEY_CURRENT_USER)."

Read the "Default File System and Registry Permissions" from....
http://download.microsoft.com/download/1/b/8/1b8fc001-6f67-4ea1-b0f2-8add1da8cbc0/SecDefs2003.doc
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.mspx
0
 
LVL 7

Author Comment

by:mmarksbury
Comment Utility
Thanks.  More info indicates that there are values being written to HKLM as well.  Any suggestion giving the history we've discussed here?
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
Basically you can just browse to the keys it needs access to in regedit (for example HKLM\Software\Progam).
Right-click on those keys and hit permissions.
Then hit the Advanced button, and select the Users group and hit edit.
Then put checks next to everything a user is going to need to be able to do to that key. (IE, Set Value gives them the ability to change the data for a value and so on). Personally for something like this I'd just give the Users group Full Control as the security risk is very minimal with just a couple keys, especially if those keys are only related to that application.

If it's just 1 computer I'd probably just do it manually. For more, I'd make a batch file or script using setacl.exe from http://setacl.sourceforge.net/, or I'd create a security template in mmc that sets registry permissions and push that template out through group policy.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Are you unable to synchronize your OST (Offline Storage Table) file with Microsoft Exchange Server? Is your OST file exceeding 2 GB size limit? In Microsoft Outlook 2002 and earlier versions, there is a 2 GB size limit for the OST file. If the file …
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now