Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with GPO settings

Status
Not open for further replies.
chvchk

chvchk

Programmer
Aug 18, 2004
33
US
Environment:
Single site domain
2 2003 Standard DCs with AD

The core application of our production process requires users of that software to be local power users or local admins of the workstation. This application tracks work order movement, scrap, inventory, etc so it is accessed often.
I have a huge problem with this security requirement as 2 of these computers are out in the open and aren't continually manned by anyone so they are pretty vulnerable.

Can anyone recommend a way through a GPO that I can work around this problem? The 3rd party software company won't support it but states it is possible to do. I just can't determine where to start and they won't tell me so....I'm hoping someone here has had a similar problem and found a way around it.

TIA~
Heather
 
Sort by date Sort by votes
Greetings Heather,

First off i cant think of anyway to do this with GP but maybe someone smarter than me can. The 3rd party wont tell you how because they dont know how and they dont want you to know they dont know how(say that 10 times fast). This is a classic example of programmers not developing with the principle of least authority in mind. From my experience you can get around this by knowing the intricacies of the 3rd party software, what it does and where it does it. Start by easing NTFS permissions on the install directory and any place it may be trying to write data to. Some software likes to write temp files in some real strange places. Keep it as narrow as possible, dont give everyone full control at c:\. Then i would start looking at registry keys the software needs to write to or read from, im sure there is a main key for the software and a bunch of subkeys you could loosen permissions on. Dont forget other keys the software may use like DSN or ODBC info if it hits a database. All the keys will most likely be in the HKEY_Local_Machine hive as non-admins cant manipulate this hive. If this approach isnt your cup of tea you could use the runas functionality also.

Hope this helps.

RoadKi11
 
Upvote 0 Downvote
I agree with Roadki11s suggestion you should be able to make this work by relaxing NTFS permissions, you could then script this using cacls.


Take a look here for handy utils to help you find what files are in use and their locations, Process Explorer should help. (Be quick MS has just bought it so it might not remain free)


Or alt you could try the excellent RunAS wrapper from Palmersoft (also free) this allows an app to run with elevated privileges but encrypts the password.


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
999
gbaughma
gbaughma
Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
564
gbaughma
gbaughma
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
284
technome
technome
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
596
DrB0b
DrB0b
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
242
RRankin355
RRankin355

Part and Inventory Search

Sponsor

Back
Top