way to let users run program as admin iwthout knowing admi..

G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

I'm running win XP home with 4 restricted user accounts for 4 kids.

I have two programs that ran OK on WinME and run just fine under an
admin account on XP, but don't run properly under a restricted account.
One is a Disney game. The other is the "well of souls" multi-user game.

I can let the kids run those programs as the admin user using the "Run As"
feature, but to do that they need the admin password, so they're always
asking me to type it in for them.

So, I want a way to allow those just two programs to always run as an
admin user, without having to enter the admin password each time they run.
Is there any way to do that?
 

z

Distinguished
Apr 7, 2004
217
0
18,680
Archived from groups: microsoft.public.windowsxp.general (More info?)

Nelson B wrote:
> I have two programs that ran OK on WinME and run just fine under an
> admin account on XP, but don't run properly under a restricted account.
> One is a Disney game. The other is the "well of souls" multi-user game.

What is the error you get?

What doesn't work?
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Nelson B wrote:
> I'm running win XP home with 4 restricted user accounts for 4 kids.
>
> I have two programs that ran OK on WinME and run just fine under an
> admin account on XP, but don't run properly under a restricted account.
> One is a Disney game. The other is the "well of souls" multi-user game.
>
> I can let the kids run those programs as the admin user using the "Run As"
> feature, but to do that they need the admin password, so they're always
> asking me to type it in for them.
>
> So, I want a way to allow those just two programs to always run as an
> admin user, without having to enter the admin password each time they run.
> Is there any way to do that?


However, you may experience some problems if the software was
designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was
improperly designed. Quite simply, the application doesn't "know" how to
handle individual user profiles with differing security permissions
levels, or the application is designed to make to make changes to
"off-limits" sections of the Windows registry or protected Windows
system folders.

For example, saved data are often stored in a sub-folder under the
application's folder within C:\Program Files - a place where no
inexperienced or limited user should ever have write permissions.

It may even be that the software requires "write" access to parts
of the registry or protected systems folders/files that are not normally
accessible to regular users. (This *won't* occur if the application is
properly written.) If this does prove to be the case, however, you're
often left with three options: Either grant the necessary users
appropriate higher access privileges (either as Power Users or local
administrators), explicitly grant normal users elevated privileges to
the affected folders and/or part(s) or the registry, or replace the
application with one that was properly designed specifically for
WinNT/2K/XP.

Some Programs Do Not Work If You Log On from Limited Account
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091

Additionally, here are a couple of tips suggested, in a reply to a
different post, by MS-MVP Kent W. England:

"If your game or application works with admin accounts, but not with
limited accounts, you can fix it to allow limited users to access the
program files folder with "change" capability rather than "read" which
is the default.

C:\>cacls "Program Files\appfolder" /e /t /p users:c

where "appfolder" is the folder where the application is installed.

If you wish to undo these changes, then run

C:\>cacls "Program Files\appfolder" /e /t /p users:r

If you still have a problem with running the program or saving
settings on limited accounts, you may need to change permissions on
the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
where "vendor\app" is the key that the software vendor used for your
specific program. Change the permissions on this key to allow Users
full control."



--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Bruce Chambers wrote:
> Nelson B wrote:
>
>> I'm running win XP home with 4 restricted user accounts for 4 kids.
>>
>> I have two programs that ran OK on WinME and run just fine under an
>> admin account on XP, but don't run properly under a restricted account.
>> One is a Disney game. The other is the "well of souls" multi-user game.
>>
>> I can let the kids run those programs as the admin user using the "Run
>> As"
>> feature, but to do that they need the admin password, so they're always
>> asking me to type it in for them.
>>
>> So, I want a way to allow those just two programs to always run as an
>> admin user, without having to enter the admin password each time they
>> run.
>> Is there any way to do that?
>
>
>
> However, you may experience some problems if the software was
> designed for Win9x/Me, or if it was intended for WinNT/2K/XP, but was
> improperly designed. Quite simply, the application doesn't "know" how to
> handle individual user profiles with differing security permissions
> levels, or the application is designed to make to make changes to
> "off-limits" sections of the Windows registry or protected Windows
> system folders.
>
> For example, saved data are often stored in a sub-folder under the
> application's folder within C:\Program Files - a place where no
> inexperienced or limited user should ever have write permissions.
>
> It may even be that the software requires "write" access to parts of
> the registry or protected systems folders/files that are not normally
> accessible to regular users. (This *won't* occur if the application is
> properly written.) If this does prove to be the case, however, you're
> often left with three options: Either grant the necessary users
> appropriate higher access privileges (either as Power Users or local
> administrators),

Does XP home have power users?

> explicitly grant normal users elevated privileges to
> the affected folders and/or part(s) or the registry,

That might help with the disney program. The well of souls program was
installed by the restricted user in his own "My documents" directory,
so file/folder access is not an issue for that one.

I fear the registry is so disorganized that finding the relevant parts
of it would be the proverbial needle-haystack excersize.

> or replace the
> application with one that was properly designed specifically for
> WinNT/2K/XP.
>
> Some Programs Do Not Work If You Log On from Limited Account
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091
>
> Additionally, here are a couple of tips suggested, in a reply to a
> different post, by MS-MVP Kent W. England:
>
> "If your game or application works with admin accounts, but not with
> limited accounts, you can fix it to allow limited users to access the
> program files folder with "change" capability rather than "read" which
> is the default.
>
> C:\>cacls "Program Files\appfolder" /e /t /p users:c
>
> where "appfolder" is the folder where the application is installed.
>
> If you wish to undo these changes, then run
>
> C:\>cacls "Program Files\appfolder" /e /t /p users:r
>
> If you still have a problem with running the program or saving
> settings on limited accounts, you may need to change permissions on
> the registry keys. Run regedit.exe and go to HKLM\Software\vendor\app,
> where "vendor\app" is the key that the software vendor used for your
> specific program. Change the permissions on this key to allow Users
> full control."

I'll try these with the disney app.

In the meantime, if someone does find a way to do a WinXP equivalent of
the Unix/Linux "setuid root", do post it here.

Thanks.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Nelson B wrote:
> I'm running win XP home with 4 restricted user accounts for 4 kids.
>
> I have two programs that ran OK on WinME and run just fine under an
> admin account on XP, but don't run properly under a restricted
> account. One is a Disney game. The other is the "well of souls"
> multi-user game.
>
> I can let the kids run those programs as the admin user using the
> "Run As" feature, but to do that they need the admin password, so
> they're always asking me to type it in for them.
>
> So, I want a way to allow those just two programs to always run as an
> admin user, without having to enter the admin password each time they
> run. Is there any way to do that?

Best thing is to find out what file/folder/registry key they need access to
and change the permissions on that file/folder/registry key.

Easiest way to go about that in your case would be to change the permissions
on the installed applications folder and all sub-folders so the users
(better yet - their group) has full rights to the files there.. Check in the
registry for any keys that the game writes to - especially to
HKEY_LOCAL_MACHINE entries - and give the userrs (better yet - their group)
permissions to said key and try that.

Likely it is as simple as the folder permissions on the applications
directory or on the All Users profile directory... However - it could be
that the game writes to the directory (profile) of the user who first
installed it - but that would be unusual now-a-days.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Is that similar to the principle for how Limited Users get rights to burn
CDs by being added to the User Group "Nero"?


"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:%23KD3kG%23uFHA.464@TK2MSFTNGP15.phx.gbl...
> Nelson B wrote:
>> I'm running win XP home with 4 restricted user accounts for 4 kids.
>>
>> I have two programs that ran OK on WinME and run just fine under an
>> admin account on XP, but don't run properly under a restricted
>> account. One is a Disney game. The other is the "well of souls"
>> multi-user game.
>>
>> I can let the kids run those programs as the admin user using the
>> "Run As" feature, but to do that they need the admin password, so
>> they're always asking me to type it in for them.
>>
>> So, I want a way to allow those just two programs to always run as an
>> admin user, without having to enter the admin password each time they
>> run. Is there any way to do that?
>
> Best thing is to find out what file/folder/registry key they need access
> to and change the permissions on that file/folder/registry key.
>
> Easiest way to go about that in your case would be to change the
> permissions on the installed applications folder and all sub-folders so
> the users (better yet - their group) has full rights to the files there..
> Check in the registry for any keys that the game writes to - especially to
> HKEY_LOCAL_MACHINE entries - and give the userrs (better yet - their
> group) permissions to said key and try that.
>
> Likely it is as simple as the folder permissions on the applications
> directory or on the All Users profile directory... However - it could be
> that the game writes to the directory (profile) of the user who first
> installed it - but that would be unusual now-a-days.
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Shenan Stanley wrote:
> Nelson B wrote:
>
>>I'm running win XP home with 4 restricted user accounts for 4 kids.
>>
>>I have two programs that ran OK on WinME and run just fine under an
>>admin account on XP, but don't run properly under a restricted
>>account. One is a Disney game. The other is the "well of souls"
>>multi-user game.
>>
>>I can let the kids run those programs as the admin user using the
>>"Run As" feature, but to do that they need the admin password, so
>>they're always asking me to type it in for them.
>>
>>So, I want a way to allow those just two programs to always run as an
>>admin user, without having to enter the admin password each time they
>>run. Is there any way to do that?
>
>
> Best thing is to find out what file/folder/registry key they need access to
> and change the permissions on that file/folder/registry key.

I've used regmon and gotten TONS of output, none of which was particularly
revealing.

> Easiest way to go about that in your case would be to change the permissions
> on the installed applications folder and all sub-folders so the users
> (better yet - their group) has full rights to the files there.. Check in the
> registry for any keys that the game writes to - especially to
> HKEY_LOCAL_MACHINE entries - and give the userrs (better yet - their group)
> permissions to said key and try that.
>
> Likely it is as simple as the folder permissions on the applications
> directory or on the All Users profile directory... However - it could be
> that the game writes to the directory (profile) of the user who first
> installed it - but that would be unusual now-a-days.

In the "well of souls" case, the program was installed by the restricted
user in his own "My Documents" directory. So, the user already has full
access to the installed files and directories. Since the restricted user
installed the program, presumably the registry keys were also created by
that user, and therefore he has rights to them also. The well of souls
problem is a networking problem. It uses UDP packets (like streaming
audio or video does), and doesn't seem to be able to do them except as
an admin user. It acts like its not on the net when run by the restricted
user, and works fine when run by admin.

The disney game was installed by admin because it insisted on installing
in program files. Problem seems to be with DirectX. It doesn't see to be
able to properly control the screen colors except when running as admin.
It looks OK except colors are all wrong. Tried various Win95 and graphics
compatibility modes. None helped when running as restricted, and none was
needed when running as admin.

I know how to change file/folder permissions in the "Pro" version.
But I've never seen the "Security" tab in file/folder properties in XP Home.
How does one do it in the Home version?

Thanks for your suggestions.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Nelson B wrote:

> I'm running win XP home with 4 restricted user accounts for 4 kids.
>
> I have two programs that ran OK on WinME and run just fine under an
> admin account on XP, but don't run properly under a restricted account.
> One is a Disney game. The other is the "well of souls" multi-user game.
>
> I can let the kids run those programs as the admin user using the "Run As"
> feature, but to do that they need the admin password, so they're always
> asking me to type it in for them.
>
> So, I want a way to allow those just two programs to always run as an
> admin user, without having to enter the admin password each time they run.
> Is there any way to do that?
Hi,

Different RunAs products listed here, some free and some not, some
with encryption option for the password as well:

http://groups.google.co.uk/groups?selm=3FE0B42C.773CA875%40hydro.com

Other ones not mentioned in the link above:

SUperior SU (free, has a command line iterface)
http://www.stefan-kuhr.de/supsu/main.php3

Supercrypt (as well as LSrunas/LSrunasE)
http://www.lansweeper.com/ls/lsrunas.aspx

Runasspc
http://www.robotronic.de/runasspcEn.html


You may also want to check out PolicyMaker Application Security
(previously NeoExec), the main difference is that it does not require
the use of a second account, as most other RunAs derivatives requires.

PolicyMaker Application Security
http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general (More info?)

Torgeir Bakken (MVP) wrote:
> Nelson B wrote:

>> So, I want a way to allow those just two programs to always run as an
>> admin user, without having to enter the admin password each time they
>> run.
>> Is there any way to do that?

> Different RunAs products listed here, some free and some not, some
> with encryption option for the password as well:
>
> http://groups.google.co.uk/groups?selm=3FE0B42C.773CA875%40hydro.com
>
> Other ones not mentioned in the link above:
>
> SUperior SU (free, has a command line iterface)
> http://www.stefan-kuhr.de/supsu/main.php3
>
> Supercrypt (as well as LSrunas/LSrunasE)
> http://www.lansweeper.com/ls/lsrunas.aspx
>
> Runasspc
> http://www.robotronic.de/runasspcEn.html
>
> You may also want to check out PolicyMaker Application Security
> (previously NeoExec), the main difference is that it does not require
> the use of a second account, as most other RunAs derivatives requires.
>
> PolicyMaker Application Security
> http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx

Thanks. Several of those look promising.

--
Nelson B