When loosening permissions to allow an application to run, don't just allow all users the extra permissions, or named users; create a new user group and give this new group the extra permissions, then give specific users membership of the group.
The permissions for the group are tweaked to allow the application to run, and to keep the application running when the developers take yet more liberties with security in the future. It's also clearer, when looking at the permissions for a folder or file, to figure out why the permissions are so relaxed. Only those users who need the extra access will get it, and maintaining group membership becomes a separate task, which could be delegated to a different admin. Aside: Is there an SGID-like mechanism in Windows? Peter Hyvonen wrote: > Its there a way to 'fake' an administrator account? I ask because our > MRP software requires the user have complete local privliges (power user > accounts do not work) I've complained but changing MRP software is not > an option. We have alot of small fires because the users of the MRP > software have to be administrator on their own box. Thanks in advance > > Pete Hyvonen > Systems Specialist > Self Charge Inc. > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
