Solved

Allow non-admins to update files in the System32 folder (or make a limited admin account)

Posted on 2009-07-08
6
696 Views
Last Modified: 2013-12-04
I have a terminal server running Windows 2008.  This server is running an application which *has* to update itself from the internet at least once per day otherwise it doesn't work.  Therefore I would like any user to be able to run the update procedure.

The update runs as administrator but not as a limited user.  The update always fails on a certain file in the Windows System32 folder, despite me granting "Domain Users" full controll to the file.  After using "Process Monitor" I have found that Windows appears to be redirecting the request from Windows\system32\filename to User's profile\windows\system32\filename - the file doesn't exist in this location and the update fails.

Is there any way I can stop Windows 2008 from redirecting this file?  This way I can give users full controll to the files relating to the app in system32 and the update will then hopefully succeed.  

Alternatively, is there a way to make a "limited" admin account.  By this I mean a account with admin rights (therefore permissions to update system32), however this account cannot run any applications other than this software (since I don't want users running apps on the terminal server they are not supposed to have access to).  This way I can educate users to right click the update exe and "run as" this limited admin account.

Any help gratefully received.
0
Comment
Question by:wasc
6 Comments
 
LVL 10

Expert Comment

by:abraham808
ID: 24805230
Try creating another User Group and apply permissions to that group.
0
 

Author Comment

by:wasc
ID: 24806036
Thanks for the suggestion.  I already tried giving Domain Users full control to the files in System32 that belong to the app without success.  I'm not sure what other permissions I could apply with another user group.

I believe it's something to do with redirection on Windows 2008 since the app is trying to write to U:\Windows\System32\file instead of C:\Windows\system32\file where U is their home profile location.  Therefore it looks like windows is silently redirecting the write request to the windows system32 folder.
0
 
LVL 6

Expert Comment

by:ou_dober
ID: 24806203
Have you considered making a script to run the update and than add it to the server task scheduler to run daily or multiple times a day?  By using task scheduler, you can put in the administrator credentials for the server without elevating the domain user privileges to get the update completed.

ou_dober
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 6

Accepted Solution

by:
ou_dober earned 500 total points
ID: 24806678
Another option could be this:

The shortcut can than be added to the default user startup folder, add in the TS login script, the default user desktop, or in the registry.

@echo off

psexec -accepteula -u administrator -p password c:\windows\notepad.exe

Open in new window

0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24811101
Just a random guess here but i'm going to guess it has something to do with the way the updates are being started. If you go to a command prompt Start-Run-> type CMD and press ok...I will assume the default path shows up as U:\  

You can try changing the default command path to C:\ as shown at http://windowsxp.mvps.org/autoruncmd.htm

Then we can see if it tries to update the correct location.
0
 

Author Closing Comment

by:wasc
ID: 31601172
Excellent - this one works well.  I've given all users access to the exe file created by BAT to EXE Converter 1.5 and have deleted the batch file itself (so they can't open it to see the password).

Now everyone can run the update program (as administrator) without being given admin rights or knowing an admin password.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now