Set Program to Run As Administrator Permanently

I have several client computers running Windows XP Pro SP2 that are connected by my active directory domain. I have a program that each client needs to run, but for it to work correctly it must be run as an administrator. If I give the domain users full permissions on the folder the software is installed, it allows it to run, but generates errors. It appears there are some registry files in the software folder that need to run.

Is there a way to give a domain user full right to execute the software without making them all administrators? How can I set the "run as" property where it will maintain the settings?

I appreciate any help you can provide.

Thank you,
Kristofer
conquerdevAsked:
Who is Participating?
 
discgmanConnect With a Mentor Commented:
1st you can try to add domain users to all the users computers power users local group. Its a manual process unless you can script it or add it to an image.

2nd, due to AD security you should not have the run as command automatically have anyone logged onto it. Check with the manufacturer of the software to see what processes run when the program runs and where are all its main files stored on the hard drive. You might have to give permissions to many folders on the pc's.

I am sure you have more questions, just send a reply.


Discgman
0
 
sliiconmanCommented:
If the files and registry keys need permissions checkout FileMon and RegMon.  Then in group policy add the keys and the files needed. This is much more secure. We do it all the time as we do not let users run with elevated privelages.

0
 
Shift-3Commented:
As you said, the program is probably trying to access registry entries which users don't have permission to.  You can use Process Monitor to find out which keys to grant users permission to.
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Shift-3Commented:
Ah, I'm one minute too late.  Process Monitor is a newer, integrated version of FileMon and RegMon.
0
 
sliiconmanCommented:
       ....    After you download regmon and filemon add the icon to the all users desktop. Logon to the server as the regular user account with no rights.  

Do a run as on the filemon and or regmon as a local admin. Start the logging of filemon or regmon.

Then as the regular logged on user try the application. Let it fail. Stop the logging and look for access denied. This may take a few tries as some keys expose others.

Add authenticated users to the keys that need access or a group you create. Add the permissions locall on the computers registry or files and make sure it all works. Then add it to domain policy at the appropriate level
0
 
sliiconmanCommented:
I still prefer regmon and filemon.. but thats me :) Old habits do not die sometimes ! ;)
0
 
Shift-3Commented:
ProcMon does all of the same things.  The filters are a little more intimidating, but you can easily turn off all file or registry entries using the toolbar buttons in the upper right.
0
 
conquerdevAuthor Commented:
Hello discqman,

The adding of the domain users to the power users on the local computers did the trick. I appreciate your help.

Thank you,
Kristofer
0
 
sliiconmanCommented:
Really? That is the answer that was accepted? Ouch! While it is a correct best practice it doesn't seem like the best solution to this, or a solution at all.
0
 
discgmanCommented:
Would you rather spend the day analyzing processes or add a user group to power users and get on with the next issue? Users are not that patient...
0
 
sliiconmanCommented:
It takes minutes to do this and it makes the company more secure.  It is admin preference. I prefer to give users as little permission as possible.POwer users is too much for my liking way too much. The log atkes about 5 minutes to disect one sort for access denied and 5 minutes to add to GPO . Definetly NOT all day or more than 15 minutes.

To each there own.
0
 
discgmanCommented:
Agree to disagree.
0
All Courses

From novice to tech pro — start learning today.