System Administrator vs. Application Administrator

Discussion in 'Windows Vista Administration' started by Dave R., Feb 12, 2007.

  1. Dave R.

    Dave R. Guest

    There seem to be a lot of posts about UAC, proper system administration
    practices, programming practices, etc., but I haven't yet seen a good
    answer to how best to implement a setup where an application
    administrator is not the system administrator.

    To use an example from another thread, the FamilyAddress program. Mom,
    Dad, Billy and Tammy all use the application under their own Limited
    User Windows logins. Mom and Dad are application administrators, but
    only Dad is a system administrator (under a separate Windows
    administrative login). All need to be able to add/edit/delete private
    addresses, but Billy and Tammy shouldn't be able to see other users
    private addresses. All need to be able to read common addresses. Mom
    and Dad both need to be able to add/edit/delete common addresses (or
    move a private address to the common area), and as application
    administrators can access the private addresses of all users in the
    system. To complicate matters, as application administrators, Mom and
    Dad need to be able to set global application parameters.

    Where, in Vista, can/should you place the data file or files for this
    type of application? Where should the global application parameters be

    Please, I'm not trying to troll, bash, flame, belittle anyone or
    anything here. I really want to understand how this should properly be
    done in Vista and I've not yet seen anything that looks to me like it
    would work without modifying the underlying system security / access


    Dave R., Feb 12, 2007
    1. Advertisements

  2. Dave R.

    Jimmy Brush Guest


    Per-user stores would be stored in each user's profile, while the
    per-machine info (such as global addresses and any configuration info) would
    be in the per-machine location.

    If you didn't add the abstraction for Application Administrator, the default
    security settings would suffice.

    However, you are correct that you would need to edit the security on the
    files to make your scenario work, since Windows has no notion of an
    Application Administrator. You would need to create the Application
    Administrator user group and then give that user group access rights to the
    files/folders that they are meant to manage.

    As an alternative to directly using files to access your data and settings
    from your main program, you could implement a windows service that manages
    the files for your app and then exposes an API for your application (and
    other applications) to call and get the data. In this solution, all of the
    files could be stored in the per-user location for the service (which should
    only allow the SYSTEM or service account access and deny everyone else). The
    service would be responsible for determining who has access to what.
    However, you would need to be extremely careful that your service does not
    introduce any security holes by allowing users or other programs to use your
    service to do something that they are not supposed to be able to do.

    - JB
    Microsoft MVP - Windows Shell/User

    Windows Vista Support Faq
    Jimmy Brush, Feb 13, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.