Interesting......
We have some home-grown apps that require security changes be made to the DCOM objects in order for "normal" users to access them. Similar? Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv [email protected] Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com <http://www.fiserv.com/> From: David Lum [mailto:[email protected]] Sent: Thursday, September 22, 2011 5:42 PM To: NT System Admin Issues Subject: RE: App compatability continues Revisiting this one today, check this out. Log into RDS as standard user, try to launch this app and get "Run-time error '70': Permission denied" (same error I have been battling). Log that user off, make said user local admin, repeat the sequence fully expecting the error to go away. Nope, same error Log in as myself, log into app as the standard user, application now works (as has been the case) Log off, log in as standard user, launch app as standard user, application now works Looking up the error, it appears to be a DCOM thing, but running the DCOM config tool doesn't help me as nothing jumps out at me to change... <scratching head> Dave From: David Lum [mailto:[email protected]] Sent: Wednesday, September 14, 2011 10:29 AM To: NT System Admin Issues Subject: RE: App compatability Looking at this error further, it tells me just *opening* this key (operation is RegOpenKeyExA) is a problem for a standard user. HKLM\System\CurrentControlSet\Services\WinSock2\Parameters "Fails as standard user and succeeded with full admin permissions" With this app - it's on RDS - if I log in as local admin and launch it, it runs fine. If a standard users tried to launch it any time after I have fired it up (and even if I have opened then closed it), it works too, so it's as if there's some dependent service that fires up when initially launched. Bizarro info #2, rebooting the server after making the app work by me logging in...the app still works for a standard user even if I don't log in after the reboot, yet after some undetermined amount of time (days) it "breaks" again. This sucks because I can't break the app on demand. When it breaks what the users sees is they launch the app and they get "Error 20 - access is denied" after trying to login to it (credentials are specific to the app, which come to think of it talks to a DB on a different machine). This app has a dependency on Mozilla, but the users have access to the relevant Mozilla folders. Any guesses? Dave From: David Lum [mailto:[email protected]] Sent: Monday, September 12, 2011 9:09 AM To: NT System Admin Issues Subject: RE: App compatability Ok cool, thanks! From: Brian Desmond [mailto:[email protected]] Sent: Monday, September 12, 2011 8:40 AM To: NT System Admin Issues Subject: RE: App compatability Shouldn't be any reason you can't build and install a shim there. Thanks, Brian Desmond [email protected] <mailto:[email protected]> c - 312.731.3132 From: David Lum [mailto:[email protected]] Sent: Monday, September 12, 2011 10:29 AM To: NT System Admin Issues Subject: RE: App compatability Whoa I omitted that this is for a 2008 R2 RDS application server, does that change things? From: Brian Desmond [mailto:[email protected]] Sent: Monday, September 12, 2011 8:22 AM To: NT System Admin Issues Subject: RE: App compatability No, the second one you just need to build the shim with the AppCompat toolkit. Thanks, Brian Desmond [email protected] <mailto:[email protected]> c - 312.731.3132 From: Crawford, Scott [mailto:[email protected]] Sent: Monday, September 12, 2011 10:09 AM To: NT System Admin Issues Subject: RE: App compatability Standard users already have read access to that key. Registry virtualization is automatically on in Windows 7 with UAC enabled. From: David Lum [mailto:[email protected]] Sent: Monday, September 12, 2011 9:43 AM To: NT System Admin Issues Subject: App compatability Using LUA Biglight which helps show what apps need permissions to run as a standard user and not admin, it points to the following key: HKLM\System\CurrentControlSet\Services\WinSock2\Parameters Solutions include "registry virtualization, the VirtualRegistry shim, as a last resort, loosen permissions". The first two involve the developer doing something right? How much of a security hole is it if I allow read access by Domain Users? David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
