Application Requires Admin Rights to Run

Posted on 2011-02-13
Last Modified: 2012-05-11
I have just installed sbs 2008 along with 3 workstations. I have everything working fine except an application that my client uses. Its a basic design program that doesn't require installation, it can be run from the root folder. The only issue i have is that as all of the users are set to standard users the application wont run. As soon as i add the user to the administration group the application runs fine. Is there another way for me to do this as ideally i don't want the users being part of the admin group

Question by:Daniel Bertolone
  • 3
  • 3
  • 2
  • +1
LVL 117
ID: 34884565
You'll need to debug with Filemon and Regmon, what the application is doing, that needs admin rights. It may be possible to identify, that it's right to a location on the disk or registry that requires Admin rights, which will allow you to make some changes, and grant access to registry and disk for those users.

Speak to the Vendor/Developer about the application, and see if they can work with you.

with scripting you could also try and install the application normally in any folder, and then use the subst command to fool the application is running in the root of a drive, but this doesn't help you with the Admin access.
LVL 117
ID: 34884566
that's write to a location on disk or registry (not right!).
LVL 77

Accepted Solution

Rob Williams earned 250 total points
ID: 34884586
It is common for users in an SBS domain to be administrators of their own machine. As a matter of fact this was the default with SBS 2003, even though it defies Microsoft's best practices. Should you want to do so you can easily "upgrade" the user from the Windows SBS console under users and groups | users | double click on the user | computers | make the user an admin of any machine you would like.

However I can appreciate your concerns. If you want to remedy this you need to use a tool like Sysinternal's/Microsoft's  Process Monitor and determine what registry keys and folders to which the user  will need admin privileges and change just those entries. It is time consuming but standard practice:

Author Comment

by:Daniel Bertolone
ID: 34884614
There are no registry entries, just the files that are located in the program directory. Once I discover what files are needed for the app to run, is it simple enough giving the users admin access just to those files?
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

LVL 77

Expert Comment

by:Rob Williams
ID: 34884631
That is what process Monitor will tell you. Start recording as the user, open the application, when it fails, stop recording and review all of the errors. There will always be some that are totally unrelated, but it will advise which files, and registry entries, if any, the user was not allowed to access,and then you can add permissions for the user or a group  to which the user belongs.
LVL 117
ID: 34884655
It's possible it could be wrting to a temp directory? Check with Filemon and Regmon.
LVL 77

Expert Comment

by:Rob Williams
ID: 34884669
Filemon and regmon have been replaced by Process Monitor.
LVL 13

Assisted Solution

connectex earned 250 total points
ID: 34884765
Use Process Monitor to monitor the application's registry and file calls. You can disable processes and network monitoring at the top. Also set the filter to use the name of the .exe and result contains the word denied. If you don't get any results, remove the name of the .exe. from the filter. This will provide more results but not all of them may apply to your specific application. Now you can grant the local users group the rights the needed to these registry and files entries. You may need to grant rights to a folder iteself, if it's creating new files in it. If so lock down the executes files on the folder to read only. This includes .dll, .chm, .exe, .bat, .cmd files. Now if you really want to document and recreate these needed changes for the other and future system. I recommend creating a batch file that calls SetACL. SetACL is on SourceForge site. That way you can quickly deal with this in the future. For a new system, install the application, confirm it runs as administrator, run the batch to set the proper rights, now test for non-admin user. I'm been using SBS with non-admin users for several years. It's just one of the steps I use to avoid most mal-ware.

Author Comment

by:Daniel Bertolone
ID: 34905776
Thanks guys

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now