"Users" can not run programs that need admin rights 1

[computermike]

I work as a tech at a community college where the students are logged in as generic users, in the users group, so they don't mess up the computers. Because of this, some applications will not run as they require administrator rights to run. We have not found an answer to this problem.
"Runas" is not appropriate in this case. Power user is giving them too much power also.

Any ideas ?

 

[butchrecon]

If you log in as Administrator and right click on the application and go to Security, and ADD the users, or better yet create a new group and add the group there and give the group the proper permissions there. Then add those users you wnat to use the application under the new group. Give that a shot and get back to us. James Collins
Systems Support Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[wapowell]

I agree that in certain cases, the users or the users group need to be added to the security settings for the program in order for it to run, but in many cases this will not work.
The first thing you need to determine is WHY does one need to be an admin to run the app. Does the program mod the registry? What is it doing in the background? etc.
Where I work we have a few programs which interact with the OS in such a way that if the user is not at least a power user, then the prog will give up errors and kind of half way work.
Remember, if you go to the app executable and go to the security tab and grant a user or the user group full access, you are granting them full access to THAT file, not full access to do whatever that file is trying to do.

~Bill

 

[butchrecon]

wapowell, Thats what I said I believe. I did not suggest giving Admin rights. We too have a similar situation where I work. That is the best way I have found to allow others to access a program without giving them more privlages than they need. James Collins
Systems Support Engineer
A+, MCP

email: butchrecon@skyenet.net

Please let us (Tek-tips members) know if the solutions we provide are helpful to you. Not only do they help you but they may help others.

 

[wapowell]

The situation presented by 'computermike' was not access TO the program file, but rather the requirement of apropriate permissions to USE a program. They can have full access control over the directory that the prog is in, to include full access control of the program's executable itself. That is having access TO the program. But if they are a regular user, and that program is trying to make modifications to the system, or access areas of the system that a member of the user group does not have permissions for, then it will not work even if they have been given full control as described above. That is an example of not having the required permissions for a program to operate.
Example - I have laptop users that can not successfully run various programs (i.e., Reflections for IBM, and certain dial-up SW) if they are not power users. They have full access to the executables, they can see the programs, they can execute the programs, but when they double click on it, the program tries to execute and by design of the OS it uses the users permission level, which if it is a user level, then it craps out.....if it is a power user level or admin level, it runs perfectly.
This is why I advise 'computermike' to determine why the users must be admins. If it is because they can not see the executabl, then I agree that he needs to add the users group to the security settings of that program. If they need to be admins because the program needs to interact with the OS with a permision level higher than that of a user, then he needs to address it as such.
Perhaps 'computermike' should give an example of which app will not run when logged on as a regular user.
I don't think we are disagreeing as much as answering different scenarios. 'Computermike' should clarify if the problem is access to an installed product, or required permissions or the program to operate properly, and he should also give examples of which programs he is dealing with in this case.

~Bill

 

[computermike]

The program in question is Quickbooks 2000 and it seems to want rights to the registry. When starting as a user is says we have not entered the registration key and to re-install the program. The program was installed by a user account with admin rights.

We fully expect some other programs to complain and still would like to hear from others as to how they work with user rights vs program desires.

Thanks to all

 

[computermike]

Is there a way to give a user admin rights but stop them from installing a program off the internet ?

 

[jogairan]

I have the same issue, but here are some detailes:
We used to be fine running the same application with nt4.0 and user no having admin rights (The program is Extra, Attachmate). Users who now have 2kpro on their systems, however, require admin previlages to be able to launch the program,without admin rights, they will get an error. This error states that the security file is missing. I am yet to find a resolution to this one. Any suggestions will be appriciated.

 

[wapowell]

Have either of you contacted the appropriate SW vendor? If so, what was their response?

Bill Powell, MCP
powellwa@hotmail.com

 

[computermike]

We contacted Intuit and they accused up of installing more copies than we have licenses for. This is totally untrue and off the mark.

 

[jogairan]

I have not called the vendor since we only have this issue with 2k workstations and not that many in the company yet. I need to find out what the program is trying to do that requires admin rights with 2k and not with nt4.0.

 

[pbxman]

I have a couple of suggestions/comments..

Make sure the program is fully accessible under the user's profile (NT security settings). I'd just set them to "everyone".

Make sure any shortcuts are not pointing to the Administrator profile, because regular users won't be able to get into that profile.

Lastly, and is what I had to do with Quark in our office..
Start Regedt32, and search for instances to "Quickbooks", or the manufacturer, etc. Set the permissions on those keys to "everyone", and they will be able to pull registry permissions without full "admin rights".

The concept of "Administrator rights" is fully controlled in the registry. Pretty much the only difference between a "guest" and an "Admin" is that the guest has extremely limited registry permissions, and the admin has full permissions. Hence, specify only the permissions they need for the keys they need access to.

Also - dont forget to export the registry settings once you get it working, so you can apply it to other machines easily.

Good luck!

 

[jogairan]

This sounds like a bright idea and I think it will work. I will try it. Thanks pbxman

 

[pbxman]

Your welcome - I hope it works out for ya..
This is what we're all here for! Dont forget to vote for me too!