?
Solved

Allow non-admins to update files in the System32 folder (or make a limited admin account)

Posted on 2009-07-08
6
Medium Priority
?
720 Views
Last Modified: 2013-12-04
I have a terminal server running Windows 2008.  This server is running an application which *has* to update itself from the internet at least once per day otherwise it doesn't work.  Therefore I would like any user to be able to run the update procedure.

The update runs as administrator but not as a limited user.  The update always fails on a certain file in the Windows System32 folder, despite me granting "Domain Users" full controll to the file.  After using "Process Monitor" I have found that Windows appears to be redirecting the request from Windows\system32\filename to User's profile\windows\system32\filename - the file doesn't exist in this location and the update fails.

Is there any way I can stop Windows 2008 from redirecting this file?  This way I can give users full controll to the files relating to the app in system32 and the update will then hopefully succeed.  

Alternatively, is there a way to make a "limited" admin account.  By this I mean a account with admin rights (therefore permissions to update system32), however this account cannot run any applications other than this software (since I don't want users running apps on the terminal server they are not supposed to have access to).  This way I can educate users to right click the update exe and "run as" this limited admin account.

Any help gratefully received.
0
Comment
Question by:wasc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 10

Expert Comment

by:abraham808
ID: 24805230
Try creating another User Group and apply permissions to that group.
0
 

Author Comment

by:wasc
ID: 24806036
Thanks for the suggestion.  I already tried giving Domain Users full control to the files in System32 that belong to the app without success.  I'm not sure what other permissions I could apply with another user group.

I believe it's something to do with redirection on Windows 2008 since the app is trying to write to U:\Windows\System32\file instead of C:\Windows\system32\file where U is their home profile location.  Therefore it looks like windows is silently redirecting the write request to the windows system32 folder.
0
 
LVL 6

Expert Comment

by:ou_dober
ID: 24806203
Have you considered making a script to run the update and than add it to the server task scheduler to run daily or multiple times a day?  By using task scheduler, you can put in the administrator credentials for the server without elevating the domain user privileges to get the update completed.

ou_dober
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 6

Accepted Solution

by:
ou_dober earned 2000 total points
ID: 24806678
Another option could be this:

The shortcut can than be added to the default user startup folder, add in the TS login script, the default user desktop, or in the registry.

@echo off
psexec -accepteula -u administrator -p password c:\windows\notepad.exe

Open in new window

0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 24811101
Just a random guess here but i'm going to guess it has something to do with the way the updates are being started. If you go to a command prompt Start-Run-> type CMD and press ok...I will assume the default path shows up as U:\  

You can try changing the default command path to C:\ as shown at http://windowsxp.mvps.org/autoruncmd.htm

Then we can see if it tries to update the correct location.
0
 

Author Closing Comment

by:wasc
ID: 31601172
Excellent - this one works well.  I've given all users access to the exe file created by BAT to EXE Converter 1.5 and have deleted the batch file itself (so they can't open it to see the password).

Now everyone can run the update program (as administrator) without being given admin rights or knowing an admin password.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question