Allow non-admins to update files in the System32 folder (or make a limited admin account)
Posted on 2009-07-08
I have a terminal server running Windows 2008. This server is running an application which *has* to update itself from the internet at least once per day otherwise it doesn't work. Therefore I would like any user to be able to run the update procedure.
The update runs as administrator but not as a limited user. The update always fails on a certain file in the Windows System32 folder, despite me granting "Domain Users" full controll to the file. After using "Process Monitor" I have found that Windows appears to be redirecting the request from Windows\system32\filename to User's profile\windows\system32\filename - the file doesn't exist in this location and the update fails.
Is there any way I can stop Windows 2008 from redirecting this file? This way I can give users full controll to the files relating to the app in system32 and the update will then hopefully succeed.
Alternatively, is there a way to make a "limited" admin account. By this I mean a account with admin rights (therefore permissions to update system32), however this account cannot run any applications other than this software (since I don't want users running apps on the terminal server they are not supposed to have access to). This way I can educate users to right click the update exe and "run as" this limited admin account.
Any help gratefully received.