Questions

Setup Power Users without actually making them Power Users in AD

Tags:
+
0 Votes
Locked

Setup Power Users without actually making them Power Users in AD

BombaStar
I have a Win2003 Server Domain with 2 XP Pro workstations.

I want my users to be able to run AutoCAD and other applications which normally require Power User permissions to opertate.

I've given Power User permissions on the local machines but I don't want my users to have THAT many permissions. I DO NOT want them installing anything, I DO NOT want them to be able to change ANY system settings. The last thing I want is someone "clicking around" one day while they're bored.

Also, setting up Power Users on every machine now is OK cause I only have 2, but what about when I have 200? (I'm an optimist)

Is there any specific, or set of permissions that would allow these programs to function properly? Do I have to create a special Group Policy?

Any and all help is appreciated
  • +
    0 Votes
    Why Me Worry?

    Windows 2003 is very different from older versions of Windows when it comes to security and groups. What you will have to do is create an exception rule for the executable file in the Data Execution Prevention section of My Computer properties to allow the application unrestricted access to run under the context of a local admin without having to explictly give the users admin rights to their machines. I am very reluctant to give end users admin rights to their PCs' because they will eventually figure out that their machines are not locked down and will start to tinker with all sorts of settings, creating a problem for desktop support and the admins.

    +
    0 Votes
    neebski

    Hello there, I am also looking for this exact same solution. I have users that use BW and when printing payroll they need power user permissions. My users are currently running as domain admins but I didn't tell them that. Its just a temporary fix for the users that need to use this particular piece of software but if anyone does know a fix please let us know!

    Thanks so much!
    - Kevin Neberman

    +
    0 Votes
    DaveLissa

    I had a similar problem a while ago, but I think it was in Microstation.

    I made them restricted users, but gave "Everyone" group full rights to Microstation folder and subfolders. Worked perfectly.

    It has to be done manually on each W/S, but you can access the folders from a DC and do it remotely.

    Hope that helps.

    +
    0 Votes
    dapowers

    I agree, usually it is a problem with permissions in the apps folder. On occasion it has also been with permissions in the registry.

    If the vendor can't tell you then try turning on file auditing for the folder in question and look for failed events in the event log after you try to use it as a normal user. Same for registry. Doesn't always work but is worth a try. Might want to increase the event log size before trying it.

    Bill

    +
    0 Votes
    CG IT

    or you can use group policy if you have a lot of workstations workstations in which to deploy an application. this option does require some effort administratively in creating the install package.

    What you do is create a .msi package for deployment and in creating this package you specify how the program runs and what account it runs under. You can use the Run As command. When a user first runs the program, the credentials used during making the .msi package are in use and that is transparent to the user. The program just runs.

    Also, domain users account often gives uses sufficent rights to install software without having to resort to the power users group.

    Another option is to create a security group for the sole purpose of installing software granting users of that group the ability to install. Once the application is installed you then remove those users from that group. If needed again, just add the user to that group until the application is installed, then remove them. Of course this is administrative effort, but it does cut down on giving users more privileges than they really need.

    +
    0 Votes
    DaveLissa

    ....but I think the user wanted a way to stop desktop users from installing programs, and at the same time, give users ways to run software that allows changes that usually only local administrators have.

    Good information, though.

  • +
    0 Votes
    Why Me Worry?

    Windows 2003 is very different from older versions of Windows when it comes to security and groups. What you will have to do is create an exception rule for the executable file in the Data Execution Prevention section of My Computer properties to allow the application unrestricted access to run under the context of a local admin without having to explictly give the users admin rights to their machines. I am very reluctant to give end users admin rights to their PCs' because they will eventually figure out that their machines are not locked down and will start to tinker with all sorts of settings, creating a problem for desktop support and the admins.

    +
    0 Votes
    neebski

    Hello there, I am also looking for this exact same solution. I have users that use BW and when printing payroll they need power user permissions. My users are currently running as domain admins but I didn't tell them that. Its just a temporary fix for the users that need to use this particular piece of software but if anyone does know a fix please let us know!

    Thanks so much!
    - Kevin Neberman

    +
    0 Votes
    DaveLissa

    I had a similar problem a while ago, but I think it was in Microstation.

    I made them restricted users, but gave "Everyone" group full rights to Microstation folder and subfolders. Worked perfectly.

    It has to be done manually on each W/S, but you can access the folders from a DC and do it remotely.

    Hope that helps.

    +
    0 Votes
    dapowers

    I agree, usually it is a problem with permissions in the apps folder. On occasion it has also been with permissions in the registry.

    If the vendor can't tell you then try turning on file auditing for the folder in question and look for failed events in the event log after you try to use it as a normal user. Same for registry. Doesn't always work but is worth a try. Might want to increase the event log size before trying it.

    Bill

    +
    0 Votes
    CG IT

    or you can use group policy if you have a lot of workstations workstations in which to deploy an application. this option does require some effort administratively in creating the install package.

    What you do is create a .msi package for deployment and in creating this package you specify how the program runs and what account it runs under. You can use the Run As command. When a user first runs the program, the credentials used during making the .msi package are in use and that is transparent to the user. The program just runs.

    Also, domain users account often gives uses sufficent rights to install software without having to resort to the power users group.

    Another option is to create a security group for the sole purpose of installing software granting users of that group the ability to install. Once the application is installed you then remove those users from that group. If needed again, just add the user to that group until the application is installed, then remove them. Of course this is administrative effort, but it does cut down on giving users more privileges than they really need.

    +
    0 Votes
    DaveLissa

    ....but I think the user wanted a way to stop desktop users from installing programs, and at the same time, give users ways to run software that allows changes that usually only local administrators have.

    Good information, though.