We are having some new software installed which requires local admin rights.
I presurem if this happens do I take it the domain users will be then able
to install software when they want it
we have a 2003 std server as a domain controller
Lookforware to your replys
Leonard <Leonard@discussions.microsoft.com> wrote:
> We are having some new software installed which requires local admin
> rights.
>
> I presurem if this happens do I take it the domain users will be then
> able to install software when they want it
>
> we have a 2003 std server as a domain controller
>
> Lookforware to your replys
Don't grant local admin rights. Users will definitely be able to install
anything (or uninstall anything) change network settings, and so on. Power
Users is not much better.
First, speak to the software developer and complain loudly - there is NO
reason the users should need admin rights to run their software. It should
require admin rights only to *install*. Ask for a list of file system
locations & registry entries to which the end user will need to have
permissions modified (read, or read/write) to run the app. If they don't
have this, complain louder. This is just plain sloppy code.
If all else fails, check out Sysinternals Process Monitor (free download
from MS) - you can run it to determine what the app expects to access and
make changes manually. Test thoroughly - do not deploy the app on any
computer before you've determined how you can make it work & behave
properly.
the new software is Sage CRM and local admin rights need to be on for the
software to run, not just install.
I have not idea why this is but we are trying to find out why
any further advice would be greatfull
if we do have to have admin rights can we monitor what users try and install
etc
"Lanwench [MVP - Exchange]" wrote:
> Leonard <Leonard@discussions.microsoft.com> wrote:
> > We are having some new software installed which requires local admin
> > rights.
> >
> > I presurem if this happens do I take it the domain users will be then
> > able to install software when they want it
> >
> > we have a 2003 std server as a domain controller
> >
> > Lookforware to your replys
>
> Don't grant local admin rights. Users will definitely be able to install
> anything (or uninstall anything) change network settings, and so on. Power
> Users is not much better.
>
> First, speak to the software developer and complain loudly - there is NO
> reason the users should need admin rights to run their software. It should
> require admin rights only to *install*. Ask for a list of file system
> locations & registry entries to which the end user will need to have
> permissions modified (read, or read/write) to run the app. If they don't
> have this, complain louder. This is just plain sloppy code.
>
> If all else fails, check out Sysinternals Process Monitor (free download
> from MS) - you can run it to determine what the app expects to access and
> make changes manually. Test thoroughly - do not deploy the app on any
> computer before you've determined how you can make it work & behave
> properly.
>
>
>
>
>
Leonard <Leonard@discussions.microsoft.com> wrote:
> the new software is Sage CRM and local admin rights need to be on for
> the software to run, not just install.
No, that's just what the developer is telling you, and I'm telling you
they're full of it. Don't let software vendors drive decisions like this.
The users don't *need* local admin rights. Simply put, the user evidently
needs to access something that ordinarily an end user can't access. The user
does *not* need all the permissions granted to an administrator- meaning, to
run this software they do *not* need permissions to add/remove software,
device drivers, edit network configurations, create user accounts, etc. -
and that's what an administrator account can do.
>
> I have not idea why this is but we are trying to find out why
Because they're lazy or crappy software developers? Seriously, this is
something you should complain loudly about. My advice still applies - you
can work around this if you get a list of file system & registry keys to
edit - or find this out yourself as I've advised.
>
> any further advice would be greatfull
>
> if we do have to have admin rights can we monitor what users try and
> install etc
Nope. Do not give them admin rights, if you want to maintain your
environment properly. Get a test box & the Sysinternals tool.
>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Leonard <Leonard@discussions.microsoft.com> wrote:
>>> We are having some new software installed which requires local admin
>>> rights.
>>>
>>> I presurem if this happens do I take it the domain users will be
>>> then able to install software when they want it
>>>
>>> we have a 2003 std server as a domain controller
>>>
>>> Lookforware to your replys
>>
>> Don't grant local admin rights. Users will definitely be able to
>> install anything (or uninstall anything) change network settings,
>> and so on. Power Users is not much better.
>>
>> First, speak to the software developer and complain loudly - there
>> is NO reason the users should need admin rights to run their
>> software. It should require admin rights only to *install*. Ask for
>> a list of file system locations & registry entries to which the end
>> user will need to have permissions modified (read, or read/write) to
>> run the app. If they don't have this, complain louder. This is just
>> plain sloppy code.
>>
>> If all else fails, check out Sysinternals Process Monitor (free
>> download from MS) - you can run it to determine what the app expects
>> to access and make changes manually. Test thoroughly - do not deploy
>> the app on any computer before you've determined how you can make it
>> work & behave properly.
ya but you might be able to get around that if your users aren't too hip by
setting up a shortcut using Runas command with the /savecred switch
enable..if you have roaming profiles, I think there is folder in Local
Settings you might have to save between sessions to maintain the
credentials...looked into this a while ago but go distracted... or maybe you
could run the application as a service ..depending. You also might get away
with putting User/Change permsssions on the Program Folder only. This works
with many badly designed programs that follow the windows security model.
Another thing you could try is setting Change permissions on HKLM keys that
are relevant to the application.
TimeTraveller
"Leonard" <Leonard@discussions.microsoft.com> wrote in message
news:5BAD01FB-7DE9-4431-98E5-29A3CD47E660@microsoft.com...
> We are having some new software installed which requires local admin
> rights.
>
> I presurem if this happens do I take it the domain users will be then able
> to install software when they want it
>
> we have a 2003 std server as a domain controller
>
> Lookforware to your replys
>
Posting Permissions
Reply With Quote
Bookmarks