Application Requires Admin Rights to Run

Posted on 2011-02-13
Last Modified: 2012-05-11
I have just installed sbs 2008 along with 3 workstations. I have everything working fine except an application that my client uses. Its a basic design program that doesn't require installation, it can be run from the root folder. The only issue i have is that as all of the users are set to standard users the application wont run. As soon as i add the user to the administration group the application runs fine. Is there another way for me to do this as ideally i don't want the users being part of the admin group

Question by:Daniel Bertolone
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 120
ID: 34884565
You'll need to debug with Filemon and Regmon, what the application is doing, that needs admin rights. It may be possible to identify, that it's right to a location on the disk or registry that requires Admin rights, which will allow you to make some changes, and grant access to registry and disk for those users.

Speak to the Vendor/Developer about the application, and see if they can work with you.

with scripting you could also try and install the application normally in any folder, and then use the subst command to fool the application is running in the root of a drive, but this doesn't help you with the Admin access.
LVL 120
ID: 34884566
that's write to a location on disk or registry (not right!).
LVL 77

Accepted Solution

Rob Williams earned 250 total points
ID: 34884586
It is common for users in an SBS domain to be administrators of their own machine. As a matter of fact this was the default with SBS 2003, even though it defies Microsoft's best practices. Should you want to do so you can easily "upgrade" the user from the Windows SBS console under users and groups | users | double click on the user | computers | make the user an admin of any machine you would like.

However I can appreciate your concerns. If you want to remedy this you need to use a tool like Sysinternal's/Microsoft's  Process Monitor and determine what registry keys and folders to which the user  will need admin privileges and change just those entries. It is time consuming but standard practice:
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

by:Daniel Bertolone
ID: 34884614
There are no registry entries, just the files that are located in the program directory. Once I discover what files are needed for the app to run, is it simple enough giving the users admin access just to those files?
LVL 77

Expert Comment

by:Rob Williams
ID: 34884631
That is what process Monitor will tell you. Start recording as the user, open the application, when it fails, stop recording and review all of the errors. There will always be some that are totally unrelated, but it will advise which files, and registry entries, if any, the user was not allowed to access,and then you can add permissions for the user or a group  to which the user belongs.
LVL 120
ID: 34884655
It's possible it could be wrting to a temp directory? Check with Filemon and Regmon.
LVL 77

Expert Comment

by:Rob Williams
ID: 34884669
Filemon and regmon have been replaced by Process Monitor.
LVL 13

Assisted Solution

connectex earned 250 total points
ID: 34884765
Use Process Monitor to monitor the application's registry and file calls. You can disable processes and network monitoring at the top. Also set the filter to use the name of the .exe and result contains the word denied. If you don't get any results, remove the name of the .exe. from the filter. This will provide more results but not all of them may apply to your specific application. Now you can grant the local users group the rights the needed to these registry and files entries. You may need to grant rights to a folder iteself, if it's creating new files in it. If so lock down the executes files on the folder to read only. This includes .dll, .chm, .exe, .bat, .cmd files. Now if you really want to document and recreate these needed changes for the other and future system. I recommend creating a batch file that calls SetACL. SetACL is on SourceForge site. That way you can quickly deal with this in the future. For a new system, install the application, confirm it runs as administrator, run the batch to set the proper rights, now test for non-admin user. I'm been using SBS with non-admin users for several years. It's just one of the steps I use to avoid most mal-ware.

Author Comment

by:Daniel Bertolone
ID: 34905776
Thanks guys

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question