Solved

Allow non-admins to update files in the System32 folder (or make a limited admin account)

Posted on 2009-07-08
6
705 Views
Last Modified: 2013-12-04
I have a terminal server running Windows 2008.  This server is running an application which *has* to update itself from the internet at least once per day otherwise it doesn't work.  Therefore I would like any user to be able to run the update procedure.

The update runs as administrator but not as a limited user.  The update always fails on a certain file in the Windows System32 folder, despite me granting "Domain Users" full controll to the file.  After using "Process Monitor" I have found that Windows appears to be redirecting the request from Windows\system32\filename to User's profile\windows\system32\filename - the file doesn't exist in this location and the update fails.

Is there any way I can stop Windows 2008 from redirecting this file?  This way I can give users full controll to the files relating to the app in system32 and the update will then hopefully succeed.  

Alternatively, is there a way to make a "limited" admin account.  By this I mean a account with admin rights (therefore permissions to update system32), however this account cannot run any applications other than this software (since I don't want users running apps on the terminal server they are not supposed to have access to).  This way I can educate users to right click the update exe and "run as" this limited admin account.

Any help gratefully received.
0
Comment
Question by:wasc
6 Comments
 
LVL 10

Expert Comment

by:abraham808
ID: 24805230
Try creating another User Group and apply permissions to that group.
0
 

Author Comment

by:wasc
ID: 24806036
Thanks for the suggestion.  I already tried giving Domain Users full control to the files in System32 that belong to the app without success.  I'm not sure what other permissions I could apply with another user group.

I believe it's something to do with redirection on Windows 2008 since the app is trying to write to U:\Windows\System32\file instead of C:\Windows\system32\file where U is their home profile location.  Therefore it looks like windows is silently redirecting the write request to the windows system32 folder.
0
 
LVL 6

Expert Comment

by:ou_dober
ID: 24806203
Have you considered making a script to run the update and than add it to the server task scheduler to run daily or multiple times a day?  By using task scheduler, you can put in the administrator credentials for the server without elevating the domain user privileges to get the update completed.

ou_dober
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 6

Accepted Solution

by:
ou_dober earned 500 total points
ID: 24806678
Another option could be this:

The shortcut can than be added to the default user startup folder, add in the TS login script, the default user desktop, or in the registry.

@echo off
psexec -accepteula -u administrator -p password c:\windows\notepad.exe

Open in new window

0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24811101
Just a random guess here but i'm going to guess it has something to do with the way the updates are being started. If you go to a command prompt Start-Run-> type CMD and press ok...I will assume the default path shows up as U:\  

You can try changing the default command path to C:\ as shown at http://windowsxp.mvps.org/autoruncmd.htm

Then we can see if it tries to update the correct location.
0
 

Author Closing Comment

by:wasc
ID: 31601172
Excellent - this one works well.  I've given all users access to the exe file created by BAT to EXE Converter 1.5 and have deleted the batch file itself (so they can't open it to see the password).

Now everyone can run the update program (as administrator) without being given admin rights or knowing an admin password.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Know what services you can and cannot, should and should not combine on your server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question