Domain permissions issue

Smokes · 26 Mar 2006 at 10:36

Morning all

Quick question, I have a domain here with around 15 users and all but 1 are standard user accounts, so can't install software e.t.c. but some programs that they need to run won't because they don't have the appropriate permissions. Is there any way around this other than adding the domain account as a power user or administrator on the local machine?

TIA

oddjob62 · 26 Mar 2006 at 10:44

Which programs?

Often i find it's something like the program needs read/write permission to the folder to which it's been installed, or another folder that contains some "data files" or similar. Usually you can just give domain users full access to that folder without having to increase their permissions for the whole PC.

Sorry for being vague but like i said, every bit of software is different.

EG: For a version of ACT! i was installing at a client site, after much head scracthing i spoke to the support company, and it turns out users need full access to the "All users" profile directory :confused:

... just bad programming really.

Smokes · 26 Mar 2006 at 11:09

Its some label software for printing big barcodes, I have added them as a power user to the local machine and now they can use it, and I tested trying to install messenger and it won't let them so I *think* I'm alright for the time being.

Do you mean add the domain user for read/write access on the local program folder under security settings?

Thanks

oddjob62 · 26 Mar 2006 at 11:28

Smokes said:
Do you mean add the domain user for read/write access on the local program folder under security settings?

Thanks

Yeah. if you add the "domain users" group, it saves you added each user that uses that machine.

I'd say just have a play around and see what works. Power users have greater access to the "c:\program files" so that would explain why power users can use the software.

M0KUJ1N · 26 Mar 2006 at 11:46

Its also worthwhile having a poke around with sysinternals filemon and regmon to find exactly WHAT action and file(s) the user needs permissions to. You can then fine-grain the permissions to these files via GPO permissions, or even to the applications entire folder if absolutely necessary

A lot better (security-speaking) than handing out power-user and admin rights, although I think this is what is being alluded to anyway with the posts re: domain user rights? (I always use the "Authenticated Users" group for delegated file permissions rights on local machines)

Smokes · 26 Mar 2006 at 11:51

Great thanks for your help guys

The main issue I have is people using messenger and other crap so hopefully have put a stop to that