Announcement

Collapse
No announcement yet.

User rights issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User rights issue

    Hi,

    I have a 2k3 server with clients connecting over R-Desktop (thin clients).
    I do not have ADS.

    I have an in-house developed application which downloads a verification file from the internet and copies it in C:\Windows\System32 folder.

    If I login as an Administrator, this application works fine; which means that this application can connect to the internet, download the file and copy it in c:\windows\system32 folder.

    When I try to run this application as a regular user, it does not work.

    I am sure, connect to the internet is not the problem.

    I *guess*, the problem can be RIGHT-ACCESS to copy a file into C:\windows\system32 folder. This is possible. I have not setup any special policies. Std 2k3 installation.

    What do you think should be my check points.

    Pls advice.

    Thank you.
    Sandeep

  • #2
    Re: User rights issue

    Why dont you log on as the and esnrue they have internet connectivity?

    It does sound like a permissions issues. By default users dont have write permission to the c:\windows directory and I would advise against giving then write access.

    Is it possible to change the location of where the file is downloaded to executed from to c:\<name> or something similar?

    Does this file need to be downloaded and installed everytime a user uses the application or can it be downloaded and installed by an admin?

    Bit more info would be good.

    Thanks

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: User rights issue

      To take this further, I got the application modified file and the file to be downloaded in D: So this issue is reoslved.

      But another bottleneck....

      The application uses the following code to get the Hard Disk key and match it with a preset list to permit access.

      Code:
      Set WMI = GetObject("WinMgmts:")
      Set objs = WMI.InstancesOf("Win32_PhysicalMedia")
      For Each obj In objs
        strMBD = obj.SerialNumber
      Next
      When this code is executed by the Administrator, it works fine.

      But when this code is executed by a normal user, it does not output any key value, nor any PERMISSIONS ERROR.

      What do I need to set to make this code executable by a non-Admin user ?

      Pls help.

      Thx,
      Sandeep

      Comment


      • #4
        Re: User rights issue

        What do I need to set to make this code executable by a non-Admin user ?
        It's not easy to give you an exact answer to this question. Cannot do this properly for a known application like Word, even less for an unknown application.
        In cases like this, you have do the detective work by yourself. What I can do for you is to suggest tools that will make your life easier and reaching the answer an achievable task.
        Thus, I suggest you put some tools from Sysinternals, now part of Microsoft:
        - Filemon will tell you what files is the application trying to have access to, and so you can give proper permissions to the proper user on the proper file;
        - Regmon allows you to see to what Registry keys is the application trying to access. There might be a Registry issue too, but this you'll have to check by yourself;
        - ProcessMonitor is a newer tool, that can give you data relative the same like using both Filemon and Regmon. I know it less, so cannot tell you more than that.

        This is what I would do (and what I am doing, actually), to solve this kind of issues.

        Hope this info helps getting you a step froward toward the solution.
        Good luck and keep us posted.

        Sorin Solomon


        In order to succeed, your desire for success should be greater than your fear of failure.
        -

        Comment


        • #5
          OFFTOPIC REPLY Re: User rights issue

          Sysinternals, now part of Microsoft:
          Oh, FFS...


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: User rights issue

            As a learning step, I went ahead and installed ADS.

            Is it possible to give permissions to "An application".
            It may sound a bit dumb, but this is what I am trying to achieve.

            to summarize....

            I have an application which needs Admin rights to execute all its function.
            But all non-admin users, need to use this application.

            So I was wondering if I can give admin rights to this APPLICATION, such that immaterial of who uses this application, this application will execute with admin rights.

            Do you think this is possible, if so please point me to the right direction.

            I did try this : Right Click on the application Exe (its a single exe file apps).
            Properties > Compatibility > User Account Privileges > TICK All non-admin....
            Properties > Security > Groups or User names > Administrator

            But did not help.
            Pls advice.

            Thank you.

            regards,
            Sandeep

            Comment


            • #7
              Re: User rights issue

              (its a single exe file apps).
              Does that means it does not need no DLLs, no access to system folder and such?

              You can try this solution:
              - create a shortcut on the user's Desktop, with the following command to run:
              %windir%\system32\runas.exe /env /user:[YourMachine\Administrator] /savecred "[EXE to run]" ;
              - run the command once, it will ask you for the password. Enter it;
              - the application should open, and if you check the Task Manager, you'll see that it runs in the context of the Administrator.
              I did not check for how long the credentials are saved. And I don't know if you won't have to do this for every user, on every machine. These will remain for you to see...

              I'm not satisfied with the solution, but it does what you ask. Is this what you need?

              Sorin Solomon


              In order to succeed, your desire for success should be greater than your fear of failure.
              -

              Comment


              • #8
                Re: User rights issue

                I will sure check this and post the results.
                Is there any way to make a APPLICATION a part of the Administrator group.
                Just like how we can add a user to the Administrator group ??

                And yes, the file is a standalone EXE.

                regards,
                Sandeep

                Comment


                • #9
                  Re: User rights issue

                  Originally posted by sandeep_from View Post
                  Is there any way to make a APPLICATION a part of the Administrator group.
                  No. Permissions work with security related objects: users, groups, machines... An application is not such an object, thus you cannot assign it permissions.

                  Sorin Solomon


                  In order to succeed, your desire for success should be greater than your fear of failure.
                  -

                  Comment


                  • #10
                    Re: User rights issue

                    Sandeep, the application, if it uses AD controlled objects to do its job, will use an AD Account to run its services. If it doesn't run as a service, then the server it runs on will need to be logged in and the application will run in the context of the logged in user. So - find out which user account it runs under, and add that user to the relevant group.


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment

                    Working...
                    X