How to give non-admin user ability to chkdsk drive?

Discussion in 'Windows Vista Security' started by Dave R., Jun 19, 2008.

  1. Dave R.

    Dave R. Guest

    On some Vista Business systems I deploy, I need to be able to give
    non-admin uers the ability to chkdsk drives. I found the "Perform
    volume maintenance tasks" user rights policy, but that isn't doing it.

    Anyone know if it is even possible (I know some things can only be done
    by Administrators), and if so, how?

    Regards,

    Dave
     
    Dave R., Jun 19, 2008
    #1
    1. Advertisements

  2. Dave R.

    Dave R. Guest

    Widening the net to include a couple of additional newsgroups...

    Does anyone know if this can be done, and of so, how?

    Regards,

    Dave
     
    Dave R., Jun 20, 2008
    #2
    1. Advertisements

  3. Dave R.

    Mr. Arnold Guest

    Even on XP, I don't think you can run ChKdsk without admin rights on XP if
    the file system is NTFS and you can't do it on Vista with the file system
    being NTFS. The only way you can do it is if the file system is FAT32 -- no
    security.
     
    Mr. Arnold, Jun 20, 2008
    #3
  4. Dave R.

    Dave R. Guest

    That's what I was afraid of. Any idea why this would be restricted to
    administrators only?

    Regards,

    Dave
     
    Dave R., Jun 23, 2008
    #4
  5. Dave R.

    Mr. Arnold Guest

    Because they are administrators that administer the O/S?
     
    Mr. Arnold, Jun 24, 2008
    #5
  6. Because only administrators should have file system level access to the
    contents of the hard drive; it's not something regular users should ever
    have to do.


    --

    Bruce Chambers

    Help us help you:
    http://www.catb.org/~esr/faqs/smart-questions.html

    http://support.microsoft.com/default.aspx/kb/555375

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. ~Benjamin Franklin

    Many people would rather die than think; in fact, most do. ~Bertrand Russell

    The philosopher has never killed any priests, whereas the priest has
    killed a great many philosophers.
    ~ Denis Diderot
     
    Bruce Chambers, Jun 24, 2008
    #6
  7. Dave R.

    Dave R. Guest

    I'm aparently not being clear, so let me try again:

    Why can't I as an administrator give the ability to do any administrator
    task to another user without giving them the ability to do ALL
    administrator tasks? That design seems lacking to me.

    Regards,

    Dave
     
    Dave R., Jun 24, 2008
    #7
  8. Dave R.

    Dave R. Guest

    The problem with that approach is that it lacks granularity in privilige
    assignment. Just because a user can be trusted to do some aspects of
    system administration does not necessarily mean they can be trusted to
    perform all aspects of system administration. Yet, in this case (and
    others I keep running across), I cannot separate the ability to do a
    simple disk check from the ability to do ALL administrative tasks.

    We are trying to put into place a concept of a "System Maintainer" -
    someone who can handle many aspects of system maintenance, but doesn't
    have the keys to the kingdom as it were. Unfortunately, we are being
    thwarted by the security model built into Windows. If anyone has any
    ideas on how to approach this in a Windows (specifically, Vista)
    environment, I'm all ears.

    Regards,

    Dave
     
    Dave R., Jun 24, 2008
    #8
  9. Dave R.

    Mark Guest

    Command-line utilities can be run from standard user without prompts if the
    application is given a manifest assigning highestAvailable. Unfortunately,
    this may also not give the results you want...
    The higher privileged application will open in a separate "DOS" window and
    close without providing the user an opportunity to read any information
    presented. ChkDsk can be assigned in this method to run on the next boot
    where the information will be provided to the user, or the logfile that
    ChkDsk could be reviewed after running, but no protected area sectors can be
    repaired while run from a standard user.

    Again, this is probably not what you wanted.
    Easier would be to setup ChkDsk to run each boot by marking the disk as
    "dirty" during network initialization.
    Again, missing the concept. You want to provide the standard user the
    ability to run certain applications while running Windows.

    I don't think that exists. Nor did it exist in prior versions. (They were
    simply running as administrator and you restricted those functions you did
    not want to give to them.)
     
    Mark, Jun 24, 2008
    #9

  10. Part of the problem is that, for some reason, you're mistakenly
    thinking of Chkdsk as some sort of routine maintenance tool. It isn't.
    It's designed to find and correct problems with the hard drive
    (limited, to be sure) and the file system. It has no preventative
    value, at all. All it's routine periodic use would do is unnecessarily
    increase the wear and tear on the hard drives.

    And granting ordinary (or even power users) the ability to alter the
    very foundation on which the OS, applications, and data rests is very
    much granting the "keys to the kingdom."


    --

    Bruce Chambers

    Help us help you:
    http://www.catb.org/~esr/faqs/smart-questions.html

    http://support.microsoft.com/default.aspx/kb/555375

    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. ~Benjamin Franklin

    Many people would rather die than think; in fact, most do. ~Bertrand Russell

    The philosopher has never killed any priests, whereas the priest has
    killed a great many philosophers.
    ~ Denis Diderot
     
    Bruce Chambers, Jun 25, 2008
    #10
  11. Dave R.

    Dave R. Guest

    No, I'm not. I'm thinking that *some* aspects of system administration
    can be handled by *some* users who have *some*, but not all, of the
    rights/privileges of system administrators.
    I'm fully aware of chkdsk's purpose and usage, thanks.
    I'm not looking for "preventative value".
    First, I'm not looking for it to be used "periodically" or "routinely".
    Second, if you actually believe this, then you have no idea how a hard
    drive functions. That's like saying "the routine periodic reading of
    data from hard drives unnecessarily increases the wear and tear on the
    hard drives."
    I'm not looking to give "ordinary" users, or "power users", this
    ability. You should stop trying to divine my intent as you are
    consistently making incorrect assumptions.
    No, it is granting *a* key to *one part* of the kingdom. A key that I
    trust certain users to have. What is it about this that bothers you so
    much?

    Regards,

    Dave
     
    Dave R., Jun 25, 2008
    #11
  12. Dave R.

    Dave R. Guest

    Thanks for the constructive reply, Mark. I'll take a closer look at
    your suggestions and ideas and see if they can get me where I want to
    go.

    Regards,

    Dave
     
    Dave R., Jun 25, 2008
    #12
  13. Dave R.

    Beoweolf Guest

    This is an interesting thread. A bit hostile, but interesting.

    You have the answer to your question, obviously it is not the answer you are
    looking for. For the last few replies, the conversation has degraded into a
    tit for tat, exchange which still will not change anything.

    At the risk of incurring more enmity...the granularity that you seek is
    available in Vista/server 2008. Technology evolves; things that were not
    possible (for whatever reason) are added in later versions -Granularity of
    administrative functionality is now possible in the latest version of
    Microsoft server/client OS. Might be time to upgrade if this is something
    that you need.

    If you must have the functionality in your present version of software, it
    might be worthwhile to create a function/macro with the ability you need.
    Compile it with the appropriate permissions then deploy it thru GPO? You
    seem knowledgeable, more than capable to handle the coding. It can be done.
     
    Beoweolf, Jul 1, 2008
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.