• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 260
  • Last Modified:

Server 2008 R2: Need an idea for domain user permissions issue

This is a server 2008 r2 site, all Windows 7 Pro clients. Users do NOT have local admin rights to their client machines. In this particular business, some users get DVDs with video on them that they need to review. The only way to view these videos is by running an executable on the DVD. When they try to do that, they are met with the admin credentials prompt. I need an idea how to allow certain users to run these DVD video executables without giving them local admin rights to the entire machine and without them using the domain admin credentials. Thanks.
2 Solutions
Chad FranksCommented:
I have used http://technet.microsoft.com/en-us/library/ee424371(v=ws.10).aspx  (App Locker) in the past.  It lets you create policies regarding specific applications to run as a normal user  - lets you lock it down, rather than give admin rights to everyone
Sean FitzpatrickSr Lab Systems EngineerCommented:
Agree w/ Chad, applocker is your best option

I found the following, may be it will help you:

I faced the same problem , what i did was:(Windows 7)

Ran Regedit and navigated to HKU\z\SYSTEM\CurrentControlSet\Control\Class{4D36E965-E325-11CE-BFC1-08002BE10318}

Right clicked, then click new, then create a new key. Then rename it to Properties. In Properties create two new dwords

    DeviceType Type:reg_dword Value:00000002
    DeviceCharacteristics Type:reg_dword Value:00000100

Then Uninstall the driver of cd/dvd from Device manager.

Scan for New Hardware. Boom!! Problem Solved.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

tcianfloneAuthor Commented:
Thanks for the AppLocker idea. I reviewed some training videos on this. Can I create an AppLocker rule just for the video related programs I'm having problems with WITHOUT having to create rules for ALL of the software the users typically use? Or do I have to define rules for ALL software for this to work?
Sean FitzpatrickSr Lab Systems EngineerCommented:
You should be able to create applocker rules for just for certain software, you should not need to create it for everything.  Everything else would just run with w/e you have as the 'default' rule.
tcianfloneAuthor Commented:
Thanks for the pointer to applocker. I have not had the opportunity to implement it yet, as is often the case with my job. But from what I've read this seems to be the way to do it. Question: Do any of you use applocker to allow things like flash and java auto updates run from a locked down desktop? Seemed like it could be used for something like that as well.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now