[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Allow non-admins to update files in the System32 folder (or make a limited admin account)

Posted on 2009-07-08
6
Medium Priority
?
724 Views
Last Modified: 2013-12-04
I have a terminal server running Windows 2008.  This server is running an application which *has* to update itself from the internet at least once per day otherwise it doesn't work.  Therefore I would like any user to be able to run the update procedure.

The update runs as administrator but not as a limited user.  The update always fails on a certain file in the Windows System32 folder, despite me granting "Domain Users" full controll to the file.  After using "Process Monitor" I have found that Windows appears to be redirecting the request from Windows\system32\filename to User's profile\windows\system32\filename - the file doesn't exist in this location and the update fails.

Is there any way I can stop Windows 2008 from redirecting this file?  This way I can give users full controll to the files relating to the app in system32 and the update will then hopefully succeed.  

Alternatively, is there a way to make a "limited" admin account.  By this I mean a account with admin rights (therefore permissions to update system32), however this account cannot run any applications other than this software (since I don't want users running apps on the terminal server they are not supposed to have access to).  This way I can educate users to right click the update exe and "run as" this limited admin account.

Any help gratefully received.
0
Comment
Question by:wasc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 10

Expert Comment

by:abraham808
ID: 24805230
Try creating another User Group and apply permissions to that group.
0
 

Author Comment

by:wasc
ID: 24806036
Thanks for the suggestion.  I already tried giving Domain Users full control to the files in System32 that belong to the app without success.  I'm not sure what other permissions I could apply with another user group.

I believe it's something to do with redirection on Windows 2008 since the app is trying to write to U:\Windows\System32\file instead of C:\Windows\system32\file where U is their home profile location.  Therefore it looks like windows is silently redirecting the write request to the windows system32 folder.
0
 
LVL 6

Expert Comment

by:ou_dober
ID: 24806203
Have you considered making a script to run the update and than add it to the server task scheduler to run daily or multiple times a day?  By using task scheduler, you can put in the administrator credentials for the server without elevating the domain user privileges to get the update completed.

ou_dober
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 6

Accepted Solution

by:
ou_dober earned 2000 total points
ID: 24806678
Another option could be this:

The shortcut can than be added to the default user startup folder, add in the TS login script, the default user desktop, or in the registry.

@echo off
psexec -accepteula -u administrator -p password c:\windows\notepad.exe

Open in new window

0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24811101
Just a random guess here but i'm going to guess it has something to do with the way the updates are being started. If you go to a command prompt Start-Run-> type CMD and press ok...I will assume the default path shows up as U:\  

You can try changing the default command path to C:\ as shown at http://windowsxp.mvps.org/autoruncmd.htm

Then we can see if it tries to update the correct location.
0
 

Author Closing Comment

by:wasc
ID: 31601172
Excellent - this one works well.  I've given all users access to the exe file created by BAT to EXE Converter 1.5 and have deleted the batch file itself (so they can't open it to see the password).

Now everyone can run the update program (as administrator) without being given admin rights or knowing an admin password.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question