Making Users Power Users, Without Install Privlidges

Discussion in 'Active Directory' started by Michael, Sep 7, 2005.

  1. Michael

    Michael Guest

    I need to make some of my users power users, without giving them installation
    rights ?

    I have installed a new application that needs to access the registry, but I
    do not want users to be able to install applications.

    Any help is greatly appreciated.

    Michael, Sep 7, 2005
    1. Advertisements

  2. Grant users registry permissions they need. You can do this for a large
    amount of users/computers with group policy.
    You can use ntregmon utility to check which registry keys/values are used by
    application and find out which kind of access this application tries to get.
    Dmitry Korolyov [MVP], Sep 7, 2005
    1. Advertisements

  3. Michael

    Arkane Guest

    Hi there,

    We have a similar problem (well, we did). All of our users on one forest
    were all local administrators (as set by my predecessor). I've just finished
    'moving' them out of Administrators and back as domain users.

    I found NTRegMon (available at very helpful for
    trapping application rights and such.

    A trick that worked for me was to login as a USER (but one that isn't locked
    down by GPOs), open up a command-prompt, use RUNAS to run NTRegMon as an
    administrator. Then clear the NTRegmon screen (so it pauses logging and
    clears the screen). Then enable logging just before you run the app.
    Don't do much else with the app, just close it, then pause monitoring on
    NTRegMon but DO NOT clear the screen. And then add a filter for 'DENIED' on
    the filter control panel and check through the list of things that it shows
    you in the panel.

    Hope that helps somewhat, as Dmitry said though - you want to give them ONLY
    the rights they need to run the applications successfully, little point
    granting them higher access (like power users) and then trying to restrict
    them, it's not the easiest way to do it IMO.

    Arkane, Sep 7, 2005
  4. Michael

    Michael Guest

    Thanks for this. Where is Group Policy do I grant access to these keys once I
    find out which ones are required ?



    Michael, Sep 8, 2005
  5. Computer Configuration\Windows Settings\Security Settings\Registry

    Dmitry Korolyov []
    MVP: Windows Server - Directory Services

    Dmitry Korolyov [MVP], Sep 8, 2005
  6. Michael

    Arkane Guest

    Something to keep in mind, if you set ACLs on registry or files using GPO (or
    infact anything), the ACLs will remain in effect until you manually remove
    them. Simply removing them from the GPO will NOT remove the special ACLs you
    set. I found this one out the hard way... removing access to a critical key,
    only to find out was the wrong one... I remove from GPO - ACL still there,
    had to run around a bit to get that reversed! :)

    Arkane, Sep 8, 2005
  7. Michael

    Michael Guest


    When I go to Computer Configuration\Windows Settings\Security Settings\, the
    registry option isnt there.

    Any ideas whats wrong ?



    Michael, Sep 9, 2005
  8. Are you editing GPO or a local policy? It won't show up in the local policy.

    Dmitry Korolyov []
    MVP: Windows Server - Directory Services

    Dmitry Korolyov [MVP], Sep 11, 2005

  9. Hi Michael,

    if you know in which part of the registry they need access in order to run
    the application, I'd first talk to the vendor of the application and ask
    them to produce code running as useraccount, and for an interim solution put
    those users in a group, and assing the new custom group the rights they need
    on the specific registry-keys. You can assign those permissions
    automatically using GPOs.

    Gruesse - Sincerely,

    Ulf B. Simon-Weidner

    MVP-Book "Windows XP - Die Expertentipps":
    Ulf B. Simon-Weidner [MVP], Oct 3, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.