I've run into this problem from time to time and while the quick fix is to
grant the user local admin rights on the box, that potentially opens up an
entirely new set of problems. We prefer not to use blanket-type solutions
like that (no offense to those that choose to) and prefer to only enable the
needed security where required and no where else.

What I've found is that you can contact the vendor for the affected programs
and they can provide you with the needed rights for each file and directory
both during an install and for running the program post-install. A perfect
example of this scenario involved the Passport emulation software (no
relation to Microsoft's Passport). After
contacting the vendor via email, they provided me with a complete list of
the files and directories accessed and the rights users needed in order to
run the software and after implementing that list, all users were able to
run the program without further incident and did not have to be granted
unneeded administrator rights to the rest of the machine.

Hope that helps,
Brad

-----Original Message-----
From: emannquestinc.org [mailto:emannquestinc.org]
Sent: Monday, April 08, 2002 11:39 AM
To: comprepsrvyahoo.com; focus-mssecurityfocus.com
Subject: RE: Group Policy denies access to some programs

From my experience, it depends entirely on the program and the way the
installer configuration was setup.

I've ran into programs that installed a bunch of .OCX files into
\winnt\system32 but never ACL'd the files properly and made them
Administrator only, and thus any user that did not have Administrator access
(local or domain) could not run the application. This was entirely an
installer error from what I gathered.

Other programs require registry access to write/modify certain keys. Your
group policies may not account for this and that could be why the
application is not working.

-----Original Message-----
From: comprepsrvyahoo.com [mailto:comprepsrvyahoo.com]
Sent: Monday, April 08, 2002 11:15 AM
To: focus-mssecurityfocus.com
Subject: Group Policy denies access to some programs

I have a w2000 server running AD which
authenticates w2000 Prof. clients. I have Group
Policy set up and my users are part of the Domain
Users group. When these users try to access
certain programs they get errors or access denied
errors. I used RUN AS to install and tried installing
under my admin account, placing a shortcut in the
ALL USERS desktop folder. When I run the
programs under Admin, they work fine.

So, how can I free certainm programs to run for the
users that need them?

thanks

dp

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]