Jump to content
Sign in to follow this  
cheeseslice

runasSet local admin help

Recommended Posts

Hi,

I am having a problem with an application and I'm hoping that someone can help.

I have a workstation that is part of an active directory, a piece of software is installed on it that requires it to be run with a user account that has administrator rights. I thought that this problem could be easily solved by just creating and exe and using runasset with the local administrator username and password.

The problem I have with this solution is that when the user goes to save their work they are no longer seeing the mapped 'my documents' folder, they are instead seeing the 'my documents' folder of the local administrator account on the workstation.

I can't work out a way to get around this problem. There are too many users that need access to this application and I cannot give them admin rights.

Many thanks.

Share this post


Link to post
Share on other sites

Try to determine why it needs admin rights, and you may be able to work around it.

(Filemon/Regmon/Procmon are great resources)

Many legacy apps kept their configuration files in the program folder.

In most of those cases, you can relax the ntfs permissions on those specific files.

Registry keys can be opened as well, and you can even allow non-admins to start/stop specific services.

Depending on the app, you may be able to get the vendor to modify it to work without admin rights.

What app is it?


[font="Tahoma"]"Tougher than the toughies and smarter than the smarties"[/font]

Share this post


Link to post
Share on other sites

It is sibelius.

I have already spoken to their technical support, they weren't much help. They claimed that the user needs to have read/write access to all files in the program folder. I did this by changing the security on that folder to allow everyone full access but it made no difference. In fact, the only account that works fully is the administrator account that I installed it with, maybe something has been added to the profile of that account.

Thanks for your reply.

Share this post


Link to post
Share on other sites

I severely doubt it needs full access to the entire programs folder structure; I'm quite sure that was a stupid / general "go away" response from tech support. There's no reason that sibelius needs access to C:\Program Files\Microsoft Office for example :)

I strongly suggest you take Skruge's advice and look at Regmon to see what it's doing to the registry; I'd wager either that or it's trying to write temp data to some stupid protected location like C:\Windows

Share this post


Link to post
Share on other sites

In fact, the only account that works fully is the administrator account that I installed it with, maybe something has been added to the profile of that account.

Does this mean that you've tried it with a different admin account?

As you mentioned, something may have been added to that user's profile. (Files and/or registry values)

Procmon would help you identify those.

I'm not familiar with the app, but if it's MSI based, it might not be installed/advertised for all users.

One quick way to check this is to browse to HKLM\Software\Microsoft\Windows\Currentversion\Install\UserData and search for the app.

If it appears somewhere under S-1-5-18 (System SID), it's installed for all users. If it appears under a different SID, it's installed only for that user.

Based on what you discover, you may need to copy some files/values to all profiles, relax permissions on more files/keys, or trick it into installing for all users.

EDIT: typo

Edited by Skruge

[font="Tahoma"]"Tougher than the toughies and smarter than the smarties"[/font]

Share this post


Link to post
Share on other sites

I severely doubt it needs full access to the entire programs folder structure; I'm quite sure that was a stupid / general "go away" response from tech support. There's no reason that sibelius needs access to C:\Program Files\Microsoft Office for example :)

I strongly suggest you take Skruge's advice and look at Regmon to see what it's doing to the registry; I'd wager either that or it's trying to write temp data to some stupid protected location like C:\Windows

They said it needs read/write to the program folder of sibelius i.e. c:\program files\sibelius. I agree with you though, I think that it just needs access for temp files or folders.

Running the runasset does work if they just save their work to a memory stick but it's annoying me!

I'll spend a bit of time with it tomorrow and see what it is trying to access.

Cheers

Share this post


Link to post
Share on other sites

cheeseslice, are you aware that starting Sibeluis with admin rights is virtually equal to giving all users those rights on the entire system?

From within the program's 'File Open'/'File Save' dialog one can start ANY further software, which would then inherit the administrative privileges...

So I can only agree with Skruge and Albuquerquefx that granting access to necessary files in the mentioned directory is not just the BETTER but also the ONLY way you could offer program's functionality to other users without making them all admins.


UDFS & Apps:


DDEML.au3 - DDE Client + Server[*]
Localization.au3- localize your scripts[*]
TLI.au3 - type information on COM objects (TLBINF emulation)[*]
TLBAutoEnum.au3 - auto-import of COM constants (enums)[*]
AU3Automation - export AU3 scripts via COM interfaces
TypeLibInspector

- OleView was yesterday

Coder's last words before final release: WE APOLOGIZE FOR INCONVENIENCEĀ 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...