• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 426
  • Last Modified:

Non-Admin User access to write specific registry values

I have an application that needs to be installed for a customer. The application attempts to write regisitry values when it launches.  Because the machine is on a restricted domain, the user's will never have admin access.  

How can I allow them to use the application and only write those registry values which I allow (assuming I have domain administrator access) ?
0
mmarksbury
Asked:
mmarksbury
  • 6
  • 5
  • 4
  • +2
1 Solution
 
KenneniahCommented:
Open regedit, browse to the registry key, right-click the key and hit Permissions. Set permissions as desired.
0
 
CyberneticsConnoisseurCommented:
The Elevated Privileges Application Launcher (EPAL) tool is designed to assist a fairly narrow spectrum of the application compatibility issues. With EPAL the network administrator now has the ability of only giving the user local user privileges on their systems and have the application execute and some higher privilege level on the local system that they are currently logged on with.

read more about it here:

http://www.netscum.dk/technet/prodtechnol/windows2000serv/downloads/epal.mspx

it also provides the download link.

Hope this helps


Carpe Diem
0
 
Justin CollinsIT Support TechnicianCommented:
Hold down "SHIFT" and right click on the application and click on "Run As"  and it will prompt you for the uname and password.  type in a uname or password with authority and it will then allow you to install it.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
nickgangaCommented:
If you login as yourself (domain admin), on the local computer... go to the control panel and double click on users, you can then set up this customer as a power user or admin for that local computer only.

I would suggest to set him up as a power user, log him in and check to see if the program works, if it does then problem solved.

If not however try making him a local admin of that computer, Although i would only suggest that if it is not a shared computer.
0
 
mmarksburyAuthor Commented:
It is a shared computer.  And the tricky part is that the application creates these registry keys in the HKEY_CURRENT_USER branch for each user that uses the application.
0
 
CyberneticsConnoisseurCommented:
didnt EPAL help you in this?
0
 
mmarksburyAuthor Commented:
I want to use EPAL as a last resort.  I am not the Domain Admin, though I can gain administrator access to the machine.  WHat this means is that I don't have the luxury of creating another user by which this application will run as.  My network team might not be willing to allow this.
0
 
CyberneticsConnoisseurCommented:
i am not sure adding the user to "power user" group will help, but have you tried it anyway?
0
 
mmarksburyAuthor Commented:
Our network team does not allow power users.  That is why I was looking for an alternate registry based (one time setting).
0
 
KenneniahCommented:
"And the tricky part is that the application creates these registry keys in the HKEY_CURRENT_USER"
If that's where it's trying to write, than it's not a registry permissions problem.
Every user by default should have Full Control of their own user registry.
0
 
mmarksburyAuthor Commented:
A standard Domain User does not have permission to go in and start whacking away at their registry or creating keys.  If that was true, any user could install just about any application.
0
 
KenneniahCommented:
Hence what I said. A user DOES have Full Control to their user hive (HKEY_CURRENT_USER). They do NOT have Full control to HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, or HKEY_CURRENT_CONFIG and so forth. If the only only location your program writes to is in HKEY_CURRENT_USER, than yes, they do have Full Control.

Most programs need write access to certain folders on the hard drive, and to HKEY_LOCAL_MACHINE\Software, which is why they fail under Users.
0
 
CyberneticsConnoisseurCommented:
I would disagree with that statement  Kenneniah, the access rights to the registry can be restricted at user level. What ever is defined by the domain admin, the user has only that level of access to the system and applications. and if a domain admin has defined the network security well, a non-admin user can not change the settings defined to restrict him in the current_user hive. if a user could do that, it defeats the purpose of applying user restrictions in a network. HKLM sets system wide restrictions and HKCU sets user specific restrictions. a user's control over HKCU is only upto the point that he can do what the settings there allow the user to do, he cant go there and change it to suit his/her own needs. that basically is the job of setting restrictions on user thru the registry.
0
 
KenneniahCommented:
Open up Regedit while logged in as ANY user, right-click on HKEY_CURRENT_USER and hit Permissions. What permissions do you see given to the user account?
Yes those permissions can be changed, but BY DEFAULT (which is what I stated) the registry permissions on HKEY_CURRENT_USER give FULL CONTROL to that user account.
Certain keys such as HKEY_CURRENT_USER\Software\Policies have different permissions. But by far the vast majority of HKEY_CURRENT_USER has Full Control given to the user. And I seriously doubt the program in questin is needing to write to the policies key.
0
 
KenneniahCommented:
From http://www.kellys-korner-xp.com/xp_groups.htm

"Users cannot modify system wide registry settings, operating system files, or program files. Users can shut down workstations, but not servers. Users can create local groups, but can manage only the local groups that they created. They can run certified Windows XP Professional programs that have been installed or deployed by administrators. Users have Full Control over all of their own data files (%userprofile%) and their own portion of the registry (HKEY_CURRENT_USER)."

Read the "Default File System and Registry Permissions" from....
http://download.microsoft.com/download/1/b/8/1b8fc001-6f67-4ea1-b0f2-8add1da8cbc0/SecDefs2003.doc
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.mspx
0
 
mmarksburyAuthor Commented:
Thanks.  More info indicates that there are values being written to HKLM as well.  Any suggestion giving the history we've discussed here?
0
 
KenneniahCommented:
Basically you can just browse to the keys it needs access to in regedit (for example HKLM\Software\Progam).
Right-click on those keys and hit permissions.
Then hit the Advanced button, and select the Users group and hit edit.
Then put checks next to everything a user is going to need to be able to do to that key. (IE, Set Value gives them the ability to change the data for a value and so on). Personally for something like this I'd just give the Users group Full Control as the security risk is very minimal with just a couple keys, especially if those keys are only related to that application.

If it's just 1 computer I'd probably just do it manually. For more, I'd make a batch file or script using setacl.exe from http://setacl.sourceforge.net/, or I'd create a security template in mmc that sets registry permissions and push that template out through group policy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 5
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now