Program permission issues

[ivwshane]

I have a program that my users must be able to use but they are limited to the limited user account permissions.

I've had it before where they could run the program with no issues with their limited account but a recent update to the program has caused problems (and an older version cannot be found).

The program requires full permissions on the programs folder (and sub folders) as well as access to registry keys. (sounds like bad programming to me)

What's the best way to handle this?

I've given the users full control of the program folder but I'm not sure how or if I want to give them access to the registry.

Is there a way to have that program automatically ran as a particular user (without the limited user knowing)?

 

[cleverhandle]

Originally posted by: ivwshane
The program requires full permissions on the programs folder (and sub folders) as well as access to registry keys. (sounds like bad programming to me)

The *entire* Program Files folder? Not just it's own subfolder of it? That does seem rather excessive.

I've given the users full control of the program folder but I'm not sure how or if I want to give them access to the registry.

You can assign permissions to keys and groups of keys. It's been a while since I did it, but IIRC you can just right-click on the keys in regedit and you'll get a permissions dialog much like the one for regular folder permissions.

Is there a way to have that program automatically ran as a particular user (without the limited user knowing)?

"runas" with the "/savecred" flag can probably do this, but I think that would be a small-scale solution that would require you to manually setup each user on each machine. There's probably a better way that I'm not aware of, being that I'm not really a Windows guy.

 

[ivwshane]

No I changed the permissions on the program folder of the program I am working with.

I've tried changing the permissions on the reg keys but there are a ton of them!

This program is really garbage!

 

[xtknight]

Which program? If it's something small and gullible you can probably coerce it into running.

 

[ivwshane]

It's called winforms by zipforms. You can see the level of quality just by looking at their support section.

 

[stash]

Is there a way to have that program automatically ran as a particular user (without the limited user knowing)?

You don't want to go there. Mr. Baddie replaces your exe with his code that has the same name, and he now is running his code as that privileged user.

 

[mechBgon]

If the computers are WinXP Professional Edition, one workaround might be:

1) make a new shortcut to your program on the user's desktop screen

2) make a new Power User account by right-clicking My Computer > Manage > Snack Break > Local Users & Groups > Groups > Power Users

3) give the Power User account a password that does not expire and cannot be changed

4) now right-click your desktop shortcut and choose Properties. Let's say it says "C:\Program Files\Internet Explorer\IEXPLORE.EXE" in the Target: box. Stick runas /user:name_of_Power_User_account_here /savecred in front of that string, and change the Start In: box to somewhere that your Limited user has access to, like "C:\Documents and settings\user"

5) now start the program using the shortcut. It'll ask for the password to that Power User account this first time. Hopefully you don't have to further elevate the Power User account to full Admin powers, but that would be one final option.


At work, I have one user at work using QuickBooks, The World's Most Retarded Program?, and this allowed me to get her down to a Restricted User account for everything else, at least.

One disadvantage is that this program will look by default at an entirely different desktop, mapped drives, My Documents folder, etc, because it's running under that Power User account. Also, while the user's browser and email and etc will run at their minimal privilege level, they could use the Power User account to get into stuff that their Limited/Restricted-User account won't let them into, via whatever file-browsing capabilities this elevated program has.

 

[ivwshane]

Hmm...good ideas but I just hope the creaters of said program fix the issue:|