System Administrator vs. Application Administrator

There seem to be a lot of posts about UAC, proper system administration
practices, programming practices, etc., but I haven't yet seen a good
answer to how best to implement a setup where an application
administrator is not the system administrator.

To use an example from another thread, the FamilyAddress program. Mom,
Dad, Billy and Tammy all use the application under their own Limited
User Windows logins. Mom and Dad are application administrators, but
only Dad is a system administrator (under a separate Windows
administrative login). All need to be able to add/edit/delete private
addresses, but Billy and Tammy shouldn't be able to see other users
private addresses. All need to be able to read common addresses. Mom
and Dad both need to be able to add/edit/delete common addresses (or
move a private address to the common area), and as application
administrators can access the private addresses of all users in the
system. To complicate matters, as application administrators, Mom and
Dad need to be able to set global application parameters.

Where, in Vista, can/should you place the data file or files for this
type of application? Where should the global application parameters be
stored?

Please, I'm not trying to troll, bash, flame, belittle anyone or
anything here. I really want to understand how this should properly be
done in Vista and I've not yet seen anything that looks to me like it
would work without modifying the underlying system security / access
restrictions.

Regards,

Dave

Hello,

Per-user stores would be stored in each user's profile, while the
per-machine info (such as global addresses and any configuration info) would
be in the per-machine location.

If you didn't add the abstraction for Application Administrator, the default
security settings would suffice.

However, you are correct that you would need to edit the security on the
files to make your scenario work, since Windows has no notion of an
Application Administrator. You would need to create the Application
Administrator user group and then give that user group access rights to the
files/folders that they are meant to manage.

As an alternative to directly using files to access your data and settings
from your main program, you could implement a windows service that manages
the files for your app and then exposes an API for your application (and
other applications) to call and get the data. In this solution, all of the
files could be stored in the per-user location for the service (which should
only allow the SYSTEM or service account access and deny everyone else). The
service would be responsible for determining who has access to what.
However, you would need to be extremely careful that your service does not
introduce any security holes by allowing users or other programs to use your
service to do something that they are not supposed to be able to do.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/