Archived from groups: microsoft.public.win2000.group_policy (
More info?)
There is no native way to do such. Windows XP Pro can use Software
Restriction Policies to restrict what applications a user can install or
run - even the local administrator. Otherwise you can try to get the
application to work as a regular user by modifying ntfs and registry
permissions though that will not always work if administrator access is
required that can not be given to a regular user through changing
ntfs/registry permissions or user rights. If the application will work when
the user is a power user then it is possible for sure. The main areas to
check are the application folder in program files, any application subfolder
in program files\common files, and application subfolder in the documents
and settings\all users\application data folder, and for the application
folder registry key in hklm\software. You would want to give users write or
possibly modify permissions to those locations.
Beyond that you can use the free tools from SysInternals called filemon and
regmon to try and track down "access denied" log entries for a regular user
when the application is run. Since their may be multiple places where
permissions need to be modified you would have to continue to run
filemon/regmon in a trial end error basis after making permission changes to
allow a user access to the file or registry key where they were denied
access until no more access denied log entries are found. To be able to do
this you need to logon as a regular user, execute filemon or regmon via
runas with admin credentials just before you try to run the application, and
stop logging of filemon/regmon as soon as the application fails and view
the logs for access denied. The log can contain thousands of entries but you
will learn to scan them fairly fast. It may also be helpful to enable
auditing of object access and privilege use for failure to see if entries
are recorded in the security log that may also prove helpful. A failure of a
privilege use mean the user does not have the user right as shown in Local
Security Policy. --- Steve
http://www.sysinternals.com/ntw2k/source/filemon.shtml
"Fran >" <<fran> wrote in message
news:2hpv11doudsd3mcmh1aacqr54rjns10c8n@4ax.com...
>I have three apps that users are required to use that must have local
> administrator access to run. I'm not sure what they need admin access
> for yet but they certainly won't run without it.
>
> I have a reluctance to grant every user that runs these apps local
> admin access (especially with all the sypware out there now.)
>
> I've tried RUN AS but that doesn't grant enough privaleges apparently
> as they won't run under "Run As".
>
> Is there a way I can grant admin access to ONLY the application(s) and
> not the users in general? I can't count the hours I've spent trying to
> remove spyware and dopy apps some of these users d/l or bring in from
> home.
>
> -Fran-
Facebook
Twitter
Instagram