restrict administrator from system settings 1

[projection]

Hi,

I am trying to configure our production pc to restrict users from changing the time/date, IP address and installing programs.

i created a user account, operator, as restricted user. this works fine except our time clock software has to be run as administrator. the registry would generate an access denied error when trying to start up. So, i changed the permissions on the user.dat and the various other registry files found in under system32/config to include this user. however, the registry still returned an access denied.

so, i selected the program to run as a different user. when the program starts up, it asks who to run as and the password. the problem with this is that if the computer restarts when i am not here, people will not be able to start the program due to not knowing the administrator password.

i installed security administrator to see if i could restrict access to system controls. you could restrict the way daylight savings could be adjusted but not changing the time. you could restrict the advanced options of TCP/IP but still have the ability to change the IP address.

so, i want to find a way to store the administrator password and have the program reference the store password instead of having to enter it if the computer restarts. Or, gather some suggestions from the community on a really good, cheap security program. Or, anything else someone could suggest.

Thank you reading!

 

[jrbarnett]

Hi,

Try to find out exactly what rights the software needs. You could have one of two possible courses of action:

1. Run regedt32.exe, this will let you set access permissions on the contents of the registry itself if the software needs to modify the contents of some of the HKLM key, for example.
Modifying the permissions on the files will only let the users change the actual files on the disk, but all editing should be done through proper registry editing software.

2. Run gpedit.msc then expand Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> user rights assignment then you can assign the rights needed for that application to run. If you set this at a domain or OU level on the computers, this can be done easily without repeating the change on each PC.

John

 

[bcastner]

SeSystemTimePrivilege is a system privilige and not controlled by Group Policy or anything accessible by the Win2k GUI.

First, download ntrights.exe, part of the Win2k Resource Kit, (if you do not have it) from here:

http://www.dynawell.com/reskit/microsoft/win2000/ntrights.zip

Unzip ntrights.exe and place it in c:\Winnt\system32

Second step, as Administrator: Start, Run, CMD
ntrights.exe -u Users +r SeSystemtimePrivilege

On reboot the privilige will be granted.

Discussion - There may be registry level ACLs to modify:

http://support.microsoft.com/defaul...port/kb/articles/q300/0/22.asp&NoWebContent=1

NTRIGHTS Syntax:

NTRights.Exe - Beta Version by Geor
Grants/Revokes NT-Rights to a user/
usage: -u xxx User/Group
-m \\xxx machine to perform
-e xxxxx Add xxxxx to the event log
-r xxx revokes the xxx right
+r xxx grants the xxx right

valid NTRights are:
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege