notta Posted September 26, 2014 Share Posted September 26, 2014 In our environment everyone runs with full admin rights which is terrible I know, but we're slowly working towards locking users down. Now this is a newb question, but how do you run software that requires admin rights without giving admin rights? So walk me through this, you install a piece of software that will not run under an account that does not have admin rights, but works fine when logged in with one that does have admin rights. How do you resolve this issue? It seems so basic, but we have always run with admin rights that I never really thought about it. Thanks. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 26, 2014 Veteran Share Posted September 26, 2014 Ok sorry I thought you wanted to install. Running software is a matter of testing. Giving access to different areas to users whether it be in the folder it is installed in, or the registry, or some areas in the Windows directory. Eventually it will work but you need to do your own research on that. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 26, 2014 MVC Share Posted September 26, 2014 In this day an age there really should be no software a user should be running in a work setup that requires admin rights.. Install sure, but not run. Even stuff like wireshark can be setup to allow access for the user to sniff without having admin rights http://wiki.wireshark.org/CaptureSetup/CapturePrivileges Can you name some example software that you say needs admin rights? So we can take a look see to what it really requires or why it might actually need admin if not really a user type tool, etc. But if you run into software that was poorly written then sure you can adjust the folders/files its accessing or registry keys to allow it to do what it wants to do without admin. What OS are you running? Link to comment Share on other sites More sharing options...
Max Norris Posted September 26, 2014 Share Posted September 26, 2014 Another option is to set up that one poorly written program to run as an on-demand task. This would allow you to create that one special exception to let a program run with admin privileges without actually having a random user running as an admin account or giving out an admin's credentials to use via runas. The short version is that you create a task, don't set any triggers, allow it to run on-demand, have it run as a preconfigured admin account and tell it to run with the highest privileges, and you'll need to give users access to that task as well via file permissions (\Windows\System32\Tasks, only for that specific task). To execute it you would create a shortcut something like this: schtasks /run /TN ?the name of the task?This is assuming a supported version of Windows.. no idea if XP/2K3 supports this. You'll obviously want to use care creating a task like that, lots of potential to be abused if you set it up to run something like a console shell or whatever. That said, personally I'd look at permissions first as Budman suggests, for example I've seen some really old programs write to a database in its own directory, and obviously that won't fly as a regular user can't write to the Programs Files directories by default, can override those permissions as an admin. Getting it to work without having to elevate permissions at all is a much better option. Link to comment Share on other sites More sharing options...
notta Posted September 27, 2014 Author Share Posted September 27, 2014 Thanks for the replies guys. Ok sorry I thought you wanted to install. Actually that was going to be my next question. Thanks Bud for taking the time to reply. Can you name some example software that you say needs admin rights? So we can take a look see to what it really requires or why it might actually need admin if not really a user type tool, etc. But if you run into software that was poorly written then sure you can adjust the folders/files its accessing or registry keys to allow it to do what it wants to do without admin.What OS are you running? We support mostly research software such as this http://www.chem.agilent.com/en-US/products-services/Software-Informatics/GC-MSD-ChemStation-Software/Pages/default.aspx. I can't even begin to tell you how many different versions of this application we have and applications like it. Software like this is quite expensive so we still have software from 2005 on our systems. I can see the point about newer software, but unfortunately we have to deal with a lot of old software like above. As sc302 said, installation is another piece as well. I can see working with these applications and applying correct folder and registry permissions as needed, but after getting them running how to install new software. We have implemented SCCM, but we have been so cut to the bone that we are lacking in so many areas. Application packaging is one of those areas. They sent me for a course for Admin Studio 2 years ago, but 5 days is not going to teach you everything you need about packaging. We are running Windows 7 32bit and 64 bit systems. We also support Windows XP 32bit in secure environments that is still monitored by SCCM. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted September 27, 2014 Veteran Share Posted September 27, 2014 You can deploy with sccm, best suggestion for anything sccm will be YouTube or if you can afford it cbtnuggets or other cbt courses. I can possibly help with waters and shimadtzu stuff but I don't have any agilent stuff on site that could be of any use. I don't recall any chemstation standalone workstations either. I can say if you are not in a validated environment, you can do what you want to the computer config...but God help you if you are in a validated environment. Link to comment Share on other sites More sharing options...
Recommended Posts