Aside from the rights issue, to ensure that users are not missing keys,
specifically those in HKey Current User, it's is recommended practice to
install programs on machines as follows:

1) create a seperate account with admin rights, for example call the account
"install" (not the Administrator account)

2) install all programs using this account

3) after installing programs, log in as Administrator and copy the profile
of "install" to Default user.

Any users logging onto this machine for the first time will have their
profile created from the default, and this will include any registry keys
from HKCU

With regards to rights, as others have said, both auditing of files and
registry keys, plus relying on the company that produced your product to
inform you of neccessary rights are both essential. Unfortunately I've
found in the past that I've ended up educating some companies on what rights
their software needs...

Regards,
Jason

----- Original Message -----
From: "Starks, Brad" <BStarksco.marin.ca.us>
To: <emannquestinc.org>; <comprepsrvyahoo.com>;
<focus-mssecurityfocus.com>
Sent: Tuesday, April 09, 2002 7:47 AM
Subject: RE: Group Policy denies access to some programs

> I've run into this problem from time to time and while the quick fix is to
> grant the user local admin rights on the box, that potentially opens up an
> entirely new set of problems. We prefer not to use blanket-type solutions
> like that (no offense to those that choose to) and prefer to only enable
the
> needed security where required and no where else.
>
> What I've found is that you can contact the vendor for the affected
programs
> and they can provide you with the needed rights for each file and
directory
> both during an install and for running the program post-install. A perfect
> example of this scenario involved the Passport emulation software (no
> relation to Microsoft's Passport). After
> contacting the vendor via email, they provided me with a complete list of
> the files and directories accessed and the rights users needed in order to
> run the software and after implementing that list, all users were able to
> run the program without further incident and did not have to be granted
> unneeded administrator rights to the rest of the machine.
>
> Hope that helps,
> Brad
>
> -----Original Message-----
> From: emannquestinc.org [mailto:emannquestinc.org]
> Sent: Monday, April 08, 2002 11:39 AM
> To: comprepsrvyahoo.com; focus-mssecurityfocus.com
> Subject: RE: Group Policy denies access to some programs
>
>
> >From my experience, it depends entirely on the program and the way the
> installer configuration was setup.
>
> I've ran into programs that installed a bunch of .OCX files into
> \winnt\system32 but never ACL'd the files properly and made them
> Administrator only, and thus any user that did not have Administrator
access
> (local or domain) could not run the application. This was entirely an
> installer error from what I gathered.
>
> Other programs require registry access to write/modify certain keys. Your
> group policies may not account for this and that could be why the
> application is not working.
>
>
>
> -----Original Message-----
> From: comprepsrvyahoo.com [mailto:comprepsrvyahoo.com]
> Sent: Monday, April 08, 2002 11:15 AM
> To: focus-mssecurityfocus.com
> Subject: Group Policy denies access to some programs
>
>
>
>
> I have a w2000 server running AD which
> authenticates w2000 Prof. clients. I have Group
> Policy set up and my users are part of the Domain
> Users group. When these users try to access
> certain programs they get errors or access denied
> errors. I used RUN AS to install and tried installing
> under my admin account, placing a shortcut in the
> ALL USERS desktop folder. When I run the
> programs under Admin, they work fine.
>
> So, how can I free certainm programs to run for the
> users that need them?
>
> thanks
>
> dp
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]