Group Policy question 4

[shannanl]

I have a group policy question. I have a Win 2000 server and about 75 mixed 2000/xp clients. I run a older program that requires that I give each user administrative rights to the client computers. I cant get around this. If I set it to anything else the program crashes. My problem is that some of the users abuse this and install all kinds of stuff, Weather Bug, Kazaa, etc. on their computers. Can I write a group policy to stop new installs?

Thanks,

Shannan

 

[AlexIT]

Have you tried enabling individual permissions to try this program? (The user doesn't need Admin access, they need some portion of it for the software...it wants to write to the registry or full control of the disk or such.) Try enabling a restricted test user with special permissions (one at a time) until you find the combination that lets the program run. Maybe contact the software vendor to find what the program needs. I hate giving anyone Local Admin if there is any way around it...

How about this, restrict the users to minimum. Use script to change the password of the Local Admin Account for each workstation to same thing and alter the program icon to "Run As (the new) Admin" using the new Local Admin password. Most users won't know about the Run As, and the password in the shortcut is displayed as ***** so they couldn't get it if they tried...

Alex

 

[cptgrudge]

Does this application require authenticated network access to other systems? If not, this might work. It's a variation on AlexIT's solution, if more tedious.

75 machines is a non-trivial amount, but you might be able to get away with making a new local user on each of the machines and adding that user the the Administrators group on the local machine. Make sure to give it a password only you and trusted staff will know. Regular strong password policy should apply, since this is an admin account, and a savvy user could still take advantage of it should the password be compromised.

Go into the local security policy (Administrative Tools) on each machine and open 'Local Policies' -> 'User Rights Assignment'. Find the item for 'Deny logon locally' and add the new admin user you just created. This will limit users from trying to logon locally to the machine as this user.

If this is an application that needs authentication to the network to use resources, you might have to make a regular user on the server which is added to the local admin account on all of the workstations. Restrict local logon as above. I would suggest against making an additional network level admin. While it would save time to simply add another user to the Domain Admins group, it's a little too risky to do that just to get an app to work when it puts your entire network at risk too.

After that, set up custom shortcuts to 'Run As', like AlexIT has listed above. On 75 machines, I don't envy you the task of visiting each one, but you might be able to mitigate some of that with scripting.

One final note that I thought of. If this app needs individual user authentication to direct some level of access within the application itself, you might be unable to go with the 'Run As' approach, since the application will either think that it is connected to by one network user (which was added to each local admin group) or else a bunch of local machine users that happen to be local admins too, which won't mean anything server-side. If this is the case, you might be doing as AlexIT suggested, and getting in touch with the software vendor too find which registry keys and files need the appropriate permissions. I've done this before too, and sometimes it can be as simple as giving the "Everyone" group access to a temp folder. Your mileage may vary.

I may be doing this 'Run As' workaround enterprise wide (800+ machines) in my organization over the summer. Some apps just don't want to work without admin privileges (or a ridiculous amount of work on my part), but giving admin rights to local users is simply becoming too risky. You aren't alone in this. We're all doing it.

 

[shannanl]

Thanks guys for the great info. I am like you, I shudder every day at the though of 75 users with admin rights to their computers. I will try these suggestions. I really appreciate the help.

Shannan

 

[markdmac]

I'd grab a copy of SysInternals REGMON and watch what registry keys the software tries to access when the user is just a user on the machine. Then give full permissions to just those registry keys. You will probably also have to give full permissions to the application files.

I have a few apps like this that I have to support and this is how we found what we really need to allow.

The one exception so far has been QuickBooks. Intuit is terrible with security restrictions and they seem that have hundreds of registry keys. I've almost given up on that one.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[shannanl]

Thanks Mark for the info. It sure helps.

Shannan

 

[AlexIT]

Star for Mark, I've been talking to the software guys when I could have been using REGMON and seeing it for myself!

Alex

 

[markdmac]

There is another reg tool that I really like which is RegSnap. It allows you to save the snapshots for comparison. Only the registered version lets you save files though. A google search should help you find a copy of that.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark