Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 751
  • Last Modified:

Application Requires Admin Rights to Run

I have just installed sbs 2008 along with 3 workstations. I have everything working fine except an application that my client uses. Its a basic design program that doesn't require installation, it can be run from the root folder. The only issue i have is that as all of the users are set to standard users the application wont run. As soon as i add the user to the administration group the application runs fine. Is there another way for me to do this as ideally i don't want the users being part of the admin group

Thanks
0
Daniel Bertolone
Asked:
Daniel Bertolone
  • 3
  • 3
  • 2
  • +1
2 Solutions
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You'll need to debug with Filemon and Regmon, what the application is doing, that needs admin rights. It may be possible to identify, that it's right to a location on the disk or registry that requires Admin rights, which will allow you to make some changes, and grant access to registry and disk for those users.

Speak to the Vendor/Developer about the application, and see if they can work with you.

with scripting you could also try and install the application normally in any folder, and then use the subst command to fool the application is running in the root of a drive, but this doesn't help you with the Admin access.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
that's write to a location on disk or registry (not right!).
0
 
Rob WilliamsCommented:
It is common for users in an SBS domain to be administrators of their own machine. As a matter of fact this was the default with SBS 2003, even though it defies Microsoft's best practices. Should you want to do so you can easily "upgrade" the user from the Windows SBS console under users and groups | users | double click on the user | computers | make the user an admin of any machine you would like.

However I can appreciate your concerns. If you want to remedy this you need to use a tool like Sysinternal's/Microsoft's  Process Monitor and determine what registry keys and folders to which the user  will need admin privileges and change just those entries. It is time consuming but standard practice:
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Daniel BertoloneAuthor Commented:
There are no registry entries, just the files that are located in the program directory. Once I discover what files are needed for the app to run, is it simple enough giving the users admin access just to those files?
0
 
Rob WilliamsCommented:
That is what process Monitor will tell you. Start recording as the user, open the application, when it fails, stop recording and review all of the errors. There will always be some that are totally unrelated, but it will advise which files, and registry entries, if any, the user was not allowed to access,and then you can add permissions for the user or a group  to which the user belongs.
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
It's possible it could be wrting to a temp directory? Check with Filemon and Regmon.
0
 
Rob WilliamsCommented:
Filemon and regmon have been replaced by Process Monitor.
0
 
connectexCommented:
Use Process Monitor to monitor the application's registry and file calls. You can disable processes and network monitoring at the top. Also set the filter to use the name of the .exe and result contains the word denied. If you don't get any results, remove the name of the .exe. from the filter. This will provide more results but not all of them may apply to your specific application. Now you can grant the local users group the rights the needed to these registry and files entries. You may need to grant rights to a folder iteself, if it's creating new files in it. If so lock down the executes files on the folder to read only. This includes .dll, .chm, .exe, .bat, .cmd files. Now if you really want to document and recreate these needed changes for the other and future system. I recommend creating a batch file that calls SetACL. SetACL is on SourceForge site. That way you can quickly deal with this in the future. For a new system, install the application, confirm it runs as administrator, run the batch to set the proper rights, now test for non-admin user. I'm been using SBS with non-admin users for several years. It's just one of the steps I use to avoid most mal-ware.
0
 
Daniel BertoloneAuthor Commented:
Thanks guys
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now