Solved

Windows 7 Pro - Full Control/Permissions for an app

Posted on 2010-11-08
17
881 Views
Last Modified: 2012-06-27
I have a new Windows 7 Pro (Acer VX275) that we just set up here at the shop.  We want the user as a Standard User with name HA017.  We installed our routine application called AB.exe.  The company that produces AB says they support Win 7.  When launched from the desktop shortcut, Win 7 puts up a prompt for the Admin password.  We can't get rid of that password prompt behavior.  Here's what we've tried thus far.

On the admin account, we went to the folder (c:\Program Files\AB) and granted HA017 full control over the folder.  No luck.  

We went to the admin account and found the application - AB.exe - and set the User HA017 with full control.  No luck.

We established the user HA017 as an admin and uninstalled and reinstalled - runs the app fine but with the admin privs.  However, reverted to a standard user - no luck.  

Back to the admin acct and regranted full control to HA017 (read, write, etc).  Logged on as HA017 - standard user - no luck.

Set HA017 as admin - and set up the "Take Ownership" context menu applet.  Right click, Take Ownership - it runs.  Reverted to standard user.  No luck.

I'm obviously missing something here?  Can someone point me in the right direction?

0
Comment
Question by:whftherb
  • 8
  • 3
  • 2
  • +3
17 Comments
 
LVL 2

Accepted Solution

by:
mitrum earned 167 total points
ID: 34086788
have you check  their (AB.exe) services have same administrator permission also ?

use  "process hack" tool to find their related services.
0
 

Author Comment

by:whftherb
ID: 34087055
Are you referring to Sysinternals Process Monitor?
0
 

Author Comment

by:whftherb
ID: 34087180
Further - I did check with the authors of AB.exe.  There arer no services spawned by AB.exe nor does it use any special services outside of the normal Windows services already in place.

Helpful?

0
 
LVL 8

Expert Comment

by:TSGITDept
ID: 34087196
Would it help to:
1 - Right Click on the Shortcut
2 - On the Shortcut Tab click "Advanced" in the lower right hand corner
3 - Check Run As Administrator

Let us know if that helps.
0
 
LVL 11

Expert Comment

by:sighar
ID: 34087463
Seems to me this is a User Account Control thing.

First, disable UAC. I don't recommend it but you can do it to try to see if that doesn't solve your problem. Then download ACT (Application Compatibility Toolkit) and change the application so that it can run with admin privileges.
0
 
LVL 8

Expert Comment

by:TSGITDept
ID: 34087766
We ran into UAC problems with Sage Accpac accounting software.

To turn off:  Start>Help and Support>Type in "UAC">then select the first option "Turn User Account Control on or off"
0
 
LVL 1

Expert Comment

by:Hulking
ID: 34088257
To add to what sighar wrote, you can right click on the application and choose Troubleshoot compatability, check the box for "the program requires additional permissions, click next and start the program. If that works you a=can save the settings and the program should run as addministrator from that point on. I say should, because sometimes you still just need to drop the UAC settings down a notch at a time till the program gets around the issue. Annother way is to test the startup of the application while running ProcMon to see where it gets hung up.
0
 

Author Comment

by:whftherb
ID: 34089549
OK, let me seek a further clarification.  First off, disabling UAC can be done but unfortunately, that defeats the nice security feature that helpfully "goof proofs" windows.  However we will live with it if need be.  

Question:  Would disabling UAC with the Admin account be applied machine-wide, and thus apply it into/onto the standard user account?  Or do I have to assign user HA017 temp admin privs, knock down UAC, revert to a standard user?  

(Seems kind of kludgy, doesn't it...)

H

Note:I won't be back until Wed - day after tomorrow....
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:whftherb
ID: 34092480
While I'm working (thinking) on this, does anyone know if the "sequence" of loading apps matters when it comes to UAC/Ownership.  What I mean is this - Does it matter if:

(a) I install the app first, then establish the user account and confer control/priveleges from the admin at that point,

or

(b) Establish the user account, install the app using the admin, then confer control/privs upon the user after

?

Second point:  How is then that normal routine third party type applications (for example CCleaner or Office)  for example get to run unencumbered on the standard account and this one refuses?  I don't understand it.
0
 
LVL 1

Expert Comment

by:Hulking
ID: 34093708
Windows 7 and the UAC do some things that are, hard to understand. Depending on the settings it can stop users, (applications), from writing to the registry and to certain places in the file system. It will try working around that by writing to the local user registry or to the users home directory when needed and the proper UAC settings are in place.

This might help...
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
0
 

Author Comment

by:whftherb
ID: 34095580
Hi again.  I'm home today fighting a cold so I've lots of time on my hands...

I have done a lot of Googling today.  So far I've not come up with a single stisfactory answer.  What I have discovered is, I can not do this.  It appears I have to make that standard user an admin which directly contradicts and defeats the purpose of UAC's security features.  Then I think, "Wait a minute!  That's completely bass-ackward!  Why would they code the OS to be secure then force the users/admins to thwart it because they can't run anything as a standard user?"  Again, I go back to why do some apps run without an admin password, let's take the example of a program like CCleaner?  Is it because CCleaner is coded or written in such a way or manner to allow standard users to use it?

Is there some method available that stipulates:  If we run AB.exe, let it go because we absolutely TRUST that is bona-fide and that it will do no harm?

I still don't know if setting the user up before or subsequent to the installation of AB.exe is impacting this...  I don't think it matters but does somone know for sure?

H
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 167 total points
ID: 34095828
Process Monitor
http://live.sysinternals.com/procmon.exe

Set the filter at the top for "Result" is "Access denied", and then hit Include....

Then launch ab.exe, and see if anything gets a hit in the logging... If so, open them up for the Users group and retest... Might be a reg key, might be trying to update something like a .log file in c:\windows....
0
 

Author Comment

by:whftherb
ID: 34097041
OK, John - I've tested procmon on my home system just to see what it looks like.  Tell me --
"Access denied" is the precise string, correct?  Because it's not offered as an option in the drop down...  If "Access denied" is the proper allowed entry, am I to assume that it has to be case sensitive, ie "Access denied" vs "access denied".  Second question:  Is "Access denied" going to actually be a result of the UAC stopping to ask for the admin password?

H
0
 
LVL 1

Assisted Solution

by:Hulking
Hulking earned 166 total points
ID: 34098618
The access denied should tell you what the app is trying to do when it fails, could be a file or registry write. If it is a registry write you can configure compatability to use an alternat registry location that the user has access to.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34099154
Yes, and you type it in the top filter box, even though it is not a selectable option, and it is case insensitve.....
0
 

Author Comment

by:whftherb
ID: 34116673
OK, good evening.  Here's what worked for me and this "problem".

First I uninstalled the application completely.  Next, the install package was one folder deep under the root.  I logged in under the standard user account.  I launched the install package and before any changes were permitted, I was prompted for the admin password.  The app installed smoothly.  Still in the standard user account, I drilled down to the install folder (C:\ProgramFiles\Autobase).  On that folder I took "ownership" by right clicking it > Properties panel > Security > Advanced > Owner tab.  Once there I observed that the folder was owned by Administrator and the Administrator Group.  I added the standard user to that list and selected it as owner, all the while giving Windows the admin password when it begged for it.  Closed out and (here's where I probably went wrong the first time) ...  rebooted.

Done!  It works perfectly and I didn't have to sacrifice a lot of built in security for basic functionality one would normally expect.

Even though Win 7's UAC is easier to manage, I still think there ought to be a way to tell Win 7, "Look I know what I'm doing, I trust this application or this process, let it pass."  Why there isn't an easier more direct UAC override is a question that may never be answered.

I'll see about splitting some points here.

H
0
 

Author Closing Comment

by:whftherb
ID: 34116691
I figured some of this out myself but the experts here were instrumental in stimulating thoughts about the solution.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now