Local Admin Rights - Microsoft

SBS Team,

I know this has been discussed at length in other posts bu I would like to
see if Microsoft might be able to offer a solution. I have a program that
requires Local Admin rights. The program in question is PC Charge by Verifone.

I don't allow local admin rights for any of my users, ever. If a program
needs to be installed I login locally as the domain admin and install the
program. Granting local admin rights opens security holes that shouldn't be
opened in the first place. However there are many application developers that
require this right in order to run their programs.

How about creating a process to allow administrators to load a program and
assign a user right to the program.

How to sample:

1. The admin installs the program.
2. After installing the admin would right click the directory and choose a
new option called "rights". (This is different than the security or shared
permissions currently available)
3. The admin would add the user to the local admin group for this
application ONLY. There would be a groups dialog box available within the
"rights" option.
4. When the user logs into the domain using their standard user login they
would have NO admin capabilities.
5. When the user opens the program requiring local admin rights the user
would be switched to local admin FOR THE PROGRAM ONLY. If the user minimizes
the program screen and accesses another program i.e. Word, Outlook, etc they
would still use the local USER rights, NOT the admin rights.

Is this an impossible task? What can Microsoft do to help us admins who are
forced to require local admin rights?

--
Thanks,
Bill V
SBS ROCKS!
http://www.oursalon2u.com
http://www.raylon.com
http://sbsbill.blogspot.com/

Hi Bill -

I hate to be blunt, but this isn't an MS problem. This is the software
developers problem. MS has already provided the security framework (and as
a matter of fact, it's been available for quite some time) for restricted
user access - if the software developer cannot code their application within
the security framework, then it's an insecure application - period.

Am I correct in assuming that you're using PCCharge with a POS system? If
so - which one?

--

Chad A. Gross - SBS MVP
SBS ROCKS!

http://msmvps.com/cgross

Bill,

I have never tried it, but don't we already have the ability to "run as" a
different user? Right-click the executable and click Run as, then choose the
account you want.

Gregg Hill


"Bill Vogel" <> wrote in message
news:94558F61-8EF8-4370-9580-...
> SBS Team,
>
> I know this has been discussed at length in other posts bu I would like to
> see if Microsoft might be able to offer a solution. I have a program that
> requires Local Admin rights. The program in question is PC Charge by
> Verifone.
>
> I don't allow local admin rights for any of my users, ever. If a program
> needs to be installed I login locally as the domain admin and install the
> program. Granting local admin rights opens security holes that shouldn't
> be
> opened in the first place. However there are many application developers
> that
> require this right in order to run their programs.
>
> How about creating a process to allow administrators to load a program and
> assign a user right to the program.
>
> How to sample:
>
> 1. The admin installs the program.
> 2. After installing the admin would right click the directory and choose a
> new option called "rights". (This is different than the security or shared
> permissions currently available)
> 3. The admin would add the user to the local admin group for this
> application ONLY. There would be a groups dialog box available within the
> "rights" option.
> 4. When the user logs into the domain using their standard user login they
> would have NO admin capabilities.
> 5. When the user opens the program requiring local admin rights the user
> would be switched to local admin FOR THE PROGRAM ONLY. If the user
> minimizes
> the program screen and accesses another program i.e. Word, Outlook, etc
> they
> would still use the local USER rights, NOT the admin rights.
>
> Is this an impossible task? What can Microsoft do to help us admins who
> are
> forced to require local admin rights?
>
> --
> Thanks,
> Bill V
> SBS ROCKS!
> http://www.oursalon2u.com
> http://www.raylon.com
> http://sbsbill.blogspot.com/

Chad,

I agree, it's not an MS problem, it's the programmer who built the
application wrong. Well... right in their eyes, but certainly not in ours.

Actually the program is a stand alone product that processes our credit card
transactions. We enter them manually in our General Office.

Here's the kicker. The program itself works just fine in USER mode. However,
since we have a multi user license I need to install a client application
that will run on other users PC's. I then need to share the programs
directory on the "server" (the users pc with the program) and allow access to
the users connecting to it. I then install the client app on the other users
PC's. But, even though I've shared the directory, given all the correct
permissions and what not, the client program will not run since the users
rights are not set top admin.

Amazing... They built the main application correct but couldn't build the
client application right.

--
Thanks,
Bill V
SBS ROCKS!
http://www.oursalon2u.com
http://www.raylon.com
http://sbsbill.blogspot.com/


"Chad A. Gross [SBS MVP]" wrote:

> Hi Bill -
>
> I hate to be blunt, but this isn't an MS problem. This is the software
> developers problem. MS has already provided the security framework (and as
> a matter of fact, it's been available for quite some time) for restricted
> user access - if the software developer cannot code their application within
> the security framework, then it's an insecure application - period.
>
> Am I correct in assuming that you're using PCCharge with a POS system? If
> so - which one?
>
> --
>
> Chad A. Gross - SBS MVP
> SBS ROCKS!
>
> http://msmvps.com/cgross
>
>
>

Gregg,

The run-as is an option although this vendor does not support this. Not sure
if it will work. Haven't tried it as yet. Maybe I'll tinker with it, but as I
said in my original post it would be great to setup the application to use
the correct right without needing the enter it each time.
--
Thanks,
Bill V
SBS ROCKS!
http://www.oursalon2u.com
http://www.raylon.com
http://sbsbill.blogspot.com/


"Gregg Hill" wrote:

> Bill,
>
> I have never tried it, but don't we already have the ability to "run as" a
> different user? Right-click the executable and click Run as, then choose the
> account you want.
>
> Gregg Hill
>
>
> "Bill Vogel" <> wrote in message
> news:94558F61-8EF8-4370-9580-...
> > SBS Team,
> >
> > I know this has been discussed at length in other posts bu I would like to
> > see if Microsoft might be able to offer a solution. I have a program that
> > requires Local Admin rights. The program in question is PC Charge by
> > Verifone.
> >
> > I don't allow local admin rights for any of my users, ever. If a program
> > needs to be installed I login locally as the domain admin and install the
> > program. Granting local admin rights opens security holes that shouldn't
> > be
> > opened in the first place. However there are many application developers
> > that
> > require this right in order to run their programs.
> >
> > How about creating a process to allow administrators to load a program and
> > assign a user right to the program.
> >
> > How to sample:
> >
> > 1. The admin installs the program.
> > 2. After installing the admin would right click the directory and choose a
> > new option called "rights". (This is different than the security or shared
> > permissions currently available)
> > 3. The admin would add the user to the local admin group for this
> > application ONLY. There would be a groups dialog box available within the
> > "rights" option.
> > 4. When the user logs into the domain using their standard user login they
> > would have NO admin capabilities.
> > 5. When the user opens the program requiring local admin rights the user
> > would be switched to local admin FOR THE PROGRAM ONLY. If the user
> > minimizes
> > the program screen and accesses another program i.e. Word, Outlook, etc
> > they
> > would still use the local USER rights, NOT the admin rights.
> >
> > Is this an impossible task? What can Microsoft do to help us admins who
> > are
> > forced to require local admin rights?
> >
> > --
> > Thanks,
> > Bill V
> > SBS ROCKS!
> > http://www.oursalon2u.com
> > http://www.raylon.com
> > http://sbsbill.blogspot.com/
>
>
>

Bill Vogel wrote:

>SBS Team,
>
>I know this has been discussed at length in other posts bu I would like to
>see if Microsoft might be able to offer a solution. I have a program that
>requires Local Admin rights. The program in question is PC Charge by
>Verifone.
>
>I don't allow local admin rights for any of my users, ever. If a program
>needs to be installed I login locally as the domain admin and install the
>program. Granting local admin rights opens security holes that shouldn't be
>opened in the first place. However there are many application developers
>that
>require this right in order to run their programs.
>
>How about creating a process to allow administrators to load a program and
>assign a user right to the program.
>
>How to sample:
>
>1. The admin installs the program.
>2. After installing the admin would right click the directory and choose a
>new option called "rights". (This is different than the security or shared
>permissions currently available)
>3. The admin would add the user to the local admin group for this
>application ONLY. There would be a groups dialog box available within the
>"rights" option.
>4. When the user logs into the domain using their standard user login they
>would have NO admin capabilities.
>5. When the user opens the program requiring local admin rights the user
>would be switched to local admin FOR THE PROGRAM ONLY. If the user
>minimizes
>the program screen and accesses another program i.e. Word, Outlook, etc
>they
>would still use the local USER rights, NOT the admin rights.
>
>Is this an impossible task? What can Microsoft do to help us admins who are
>forced to require local admin rights?

They could beat up on application vendors more, but that's about it.

All your solution does is grant bad programs administrative privileges.
Since the application vendor has already demonstrated disregard for the
windows security model, who's to say their coding will be safe?

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Steve,

Good Point. Really what I was thinking of is an easier way to handle these
non-compliant programs. They may not go away overnight so to allow specific
rights per program and not per user would help us out. Although this would
also take the responsibility away from the bad developers out there too. Hmm,
catch 22.
--
Thanks,
Bill V
SBS ROCKS!
http://www.oursalon2u.com
http://www.raylon.com
http://sbsbill.blogspot.com/


"Steve Foster [SBS MVP]" wrote:

> Bill Vogel wrote:
>
> >SBS Team,
> >
> >I know this has been discussed at length in other posts bu I would like to
> >see if Microsoft might be able to offer a solution. I have a program that
> >requires Local Admin rights. The program in question is PC Charge by
> >Verifone.
> >
> >I don't allow local admin rights for any of my users, ever. If a program
> >needs to be installed I login locally as the domain admin and install the
> >program. Granting local admin rights opens security holes that shouldn't be
> >opened in the first place. However there are many application developers
> >that
> >require this right in order to run their programs.
> >
> >How about creating a process to allow administrators to load a program and
> >assign a user right to the program.
> >
> >How to sample:
> >
> >1. The admin installs the program.
> >2. After installing the admin would right click the directory and choose a
> >new option called "rights". (This is different than the security or shared
> >permissions currently available)
> >3. The admin would add the user to the local admin group for this
> >application ONLY. There would be a groups dialog box available within the
> >"rights" option.
> >4. When the user logs into the domain using their standard user login they
> >would have NO admin capabilities.
> >5. When the user opens the program requiring local admin rights the user
> >would be switched to local admin FOR THE PROGRAM ONLY. If the user
> >minimizes
> >the program screen and accesses another program i.e. Word, Outlook, etc
> >they
> >would still use the local USER rights, NOT the admin rights.
> >
> >Is this an impossible task? What can Microsoft do to help us admins who are
> >forced to require local admin rights?
>
> They could beat up on application vendors more, but that's about it.
>
> All your solution does is grant bad programs administrative privileges.
> Since the application vendor has already demonstrated disregard for the
> windows security model, who's to say their coding will be safe?
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.
>

www.threatcode.com

Beat up on the 'right' vendor.

Bill Vogel wrote:
> Chad,
>
> I agree, it's not an MS problem, it's the programmer who built the
> application wrong. Well... right in their eyes, but certainly not in ours.
>
> Actually the program is a stand alone product that processes our credit card
> transactions. We enter them manually in our General Office.
>
> Here's the kicker. The program itself works just fine in USER mode. However,
> since we have a multi user license I need to install a client application
> that will run on other users PC's. I then need to share the programs
> directory on the "server" (the users pc with the program) and allow access to
> the users connecting to it. I then install the client app on the other users
> PC's. But, even though I've shared the directory, given all the correct
> permissions and what not, the client program will not run since the users
> rights are not set top admin.
>
> Amazing... They built the main application correct but couldn't build the
> client application right.
>

www.threatcode.com

Names please?

Leythos wrote:
> In article <6833992D-F0CA-4619-8937->,
> me says...
>
>>Steve,
>>
>>Good Point. Really what I was thinking of is an easier way to handle these
>>non-compliant programs. They may not go away overnight so to allow specific
>>rights per program and not per user would help us out. Although this would
>>also take the responsibility away from the bad developers out there too. Hmm,
>>catch 22.
>
>
> I run into this a lot, where the applications are poorly written and
> require the user to either be an administrator to install them, or at
> least a power user to run them.
>
> As an example, I have a client that uses medical software. The
> application will run in User mode, but, the users can't install any of
> the updates unless they are administrators. As the vendor pushes out new
> updates (which are DLL files) a couple times a week, it means that the
> administrator must install and manually regsvr32 the DLL's on each
> computer. Now, I've gone to creating a batch file to push the DLL's out
> to the workstations, but there is no simple way to automate the
> registration of the DLL's on each computer - you can't do it in their
> login script as it runs as a User level permission and regsvr32 is not
> permitted by users..... So, to make life easy I have a batch file that's
> run on logon (it's normally empty) and populate it with the reg commands
> for each dll, then logon as Administrator, log out, and then when all
> machines have been done I delete the contents of the batch file so that
> users don't experience the errors.
>
> On another note, what about the lame vendors that write updates and ship
> them, have an admin install the update, but, wait, the update is only
> loaded when you run the installer, you have to actually open the
> application to complete the installation - and you have to still be an
> administrator.
>
> Kind of like using Quicken/Quickbooks - you have to be an admin to run
> it.
>

"Leythos" <> wrote in message
news:...
>
> Kind of like using Quicken/Quickbooks - you have to be an admin to run
> it.

Recently I found it necessary to open up HKLM/software/microsoft/tracing
before a user could get some Quickbooks updates. I think that key is for
debugging, so they probably left some debug code in there to top it off.



--

Reply in group, but if emailing add
2 more zeros and remove the obvious.