Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 900
  • Last Modified:

Windows 7 Pro - Full Control/Permissions for an app

I have a new Windows 7 Pro (Acer VX275) that we just set up here at the shop.  We want the user as a Standard User with name HA017.  We installed our routine application called AB.exe.  The company that produces AB says they support Win 7.  When launched from the desktop shortcut, Win 7 puts up a prompt for the Admin password.  We can't get rid of that password prompt behavior.  Here's what we've tried thus far.

On the admin account, we went to the folder (c:\Program Files\AB) and granted HA017 full control over the folder.  No luck.  

We went to the admin account and found the application - AB.exe - and set the User HA017 with full control.  No luck.

We established the user HA017 as an admin and uninstalled and reinstalled - runs the app fine but with the admin privs.  However, reverted to a standard user - no luck.  

Back to the admin acct and regranted full control to HA017 (read, write, etc).  Logged on as HA017 - standard user - no luck.

Set HA017 as admin - and set up the "Take Ownership" context menu applet.  Right click, Take Ownership - it runs.  Reverted to standard user.  No luck.

I'm obviously missing something here?  Can someone point me in the right direction?

0
whftherb
Asked:
whftherb
  • 8
  • 3
  • 2
  • +3
3 Solutions
 
mitrumCommented:
have you check  their (AB.exe) services have same administrator permission also ?

use  "process hack" tool to find their related services.
0
 
whftherbAuthor Commented:
Are you referring to Sysinternals Process Monitor?
0
 
whftherbAuthor Commented:
Further - I did check with the authors of AB.exe.  There arer no services spawned by AB.exe nor does it use any special services outside of the normal Windows services already in place.

Helpful?

0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
BillCommented:
Would it help to:
1 - Right Click on the Shortcut
2 - On the Shortcut Tab click "Advanced" in the lower right hand corner
3 - Check Run As Administrator

Let us know if that helps.
0
 
Sigurdur HaraldssonSystem AdministratorCommented:
Seems to me this is a User Account Control thing.

First, disable UAC. I don't recommend it but you can do it to try to see if that doesn't solve your problem. Then download ACT (Application Compatibility Toolkit) and change the application so that it can run with admin privileges.
0
 
BillCommented:
We ran into UAC problems with Sage Accpac accounting software.

To turn off:  Start>Help and Support>Type in "UAC">then select the first option "Turn User Account Control on or off"
0
 
HulkingCommented:
To add to what sighar wrote, you can right click on the application and choose Troubleshoot compatability, check the box for "the program requires additional permissions, click next and start the program. If that works you a=can save the settings and the program should run as addministrator from that point on. I say should, because sometimes you still just need to drop the UAC settings down a notch at a time till the program gets around the issue. Annother way is to test the startup of the application while running ProcMon to see where it gets hung up.
0
 
whftherbAuthor Commented:
OK, let me seek a further clarification.  First off, disabling UAC can be done but unfortunately, that defeats the nice security feature that helpfully "goof proofs" windows.  However we will live with it if need be.  

Question:  Would disabling UAC with the Admin account be applied machine-wide, and thus apply it into/onto the standard user account?  Or do I have to assign user HA017 temp admin privs, knock down UAC, revert to a standard user?  

(Seems kind of kludgy, doesn't it...)

H

Note:I won't be back until Wed - day after tomorrow....
0
 
whftherbAuthor Commented:
While I'm working (thinking) on this, does anyone know if the "sequence" of loading apps matters when it comes to UAC/Ownership.  What I mean is this - Does it matter if:

(a) I install the app first, then establish the user account and confer control/priveleges from the admin at that point,

or

(b) Establish the user account, install the app using the admin, then confer control/privs upon the user after

?

Second point:  How is then that normal routine third party type applications (for example CCleaner or Office)  for example get to run unencumbered on the standard account and this one refuses?  I don't understand it.
0
 
HulkingCommented:
Windows 7 and the UAC do some things that are, hard to understand. Depending on the settings it can stop users, (applications), from writing to the registry and to certain places in the file system. It will try working around that by writing to the local user registry or to the users home directory when needed and the proper UAC settings are in place.

This might help...
http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx
0
 
whftherbAuthor Commented:
Hi again.  I'm home today fighting a cold so I've lots of time on my hands...

I have done a lot of Googling today.  So far I've not come up with a single stisfactory answer.  What I have discovered is, I can not do this.  It appears I have to make that standard user an admin which directly contradicts and defeats the purpose of UAC's security features.  Then I think, "Wait a minute!  That's completely bass-ackward!  Why would they code the OS to be secure then force the users/admins to thwart it because they can't run anything as a standard user?"  Again, I go back to why do some apps run without an admin password, let's take the example of a program like CCleaner?  Is it because CCleaner is coded or written in such a way or manner to allow standard users to use it?

Is there some method available that stipulates:  If we run AB.exe, let it go because we absolutely TRUST that is bona-fide and that it will do no harm?

I still don't know if setting the user up before or subsequent to the installation of AB.exe is impacting this...  I don't think it matters but does somone know for sure?

H
0
 
johnb6767Commented:
Process Monitor
http://live.sysinternals.com/procmon.exe

Set the filter at the top for "Result" is "Access denied", and then hit Include....

Then launch ab.exe, and see if anything gets a hit in the logging... If so, open them up for the Users group and retest... Might be a reg key, might be trying to update something like a .log file in c:\windows....
0
 
whftherbAuthor Commented:
OK, John - I've tested procmon on my home system just to see what it looks like.  Tell me --
"Access denied" is the precise string, correct?  Because it's not offered as an option in the drop down...  If "Access denied" is the proper allowed entry, am I to assume that it has to be case sensitive, ie "Access denied" vs "access denied".  Second question:  Is "Access denied" going to actually be a result of the UAC stopping to ask for the admin password?

H
0
 
HulkingCommented:
The access denied should tell you what the app is trying to do when it fails, could be a file or registry write. If it is a registry write you can configure compatability to use an alternat registry location that the user has access to.
0
 
johnb6767Commented:
Yes, and you type it in the top filter box, even though it is not a selectable option, and it is case insensitve.....
0
 
whftherbAuthor Commented:
OK, good evening.  Here's what worked for me and this "problem".

First I uninstalled the application completely.  Next, the install package was one folder deep under the root.  I logged in under the standard user account.  I launched the install package and before any changes were permitted, I was prompted for the admin password.  The app installed smoothly.  Still in the standard user account, I drilled down to the install folder (C:\ProgramFiles\Autobase).  On that folder I took "ownership" by right clicking it > Properties panel > Security > Advanced > Owner tab.  Once there I observed that the folder was owned by Administrator and the Administrator Group.  I added the standard user to that list and selected it as owner, all the while giving Windows the admin password when it begged for it.  Closed out and (here's where I probably went wrong the first time) ...  rebooted.

Done!  It works perfectly and I didn't have to sacrifice a lot of built in security for basic functionality one would normally expect.

Even though Win 7's UAC is easier to manage, I still think there ought to be a way to tell Win 7, "Look I know what I'm doing, I trust this application or this process, let it pass."  Why there isn't an easier more direct UAC override is a question that may never be answered.

I'll see about splitting some points here.

H
0
 
whftherbAuthor Commented:
I figured some of this out myself but the experts here were instrumental in stimulating thoughts about the solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now