+1 on that recommendation, it takes time, but most times, it only needs certain access to directories/registry or maybe to start a service, but that all can be granted at a user level.
Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: James Rankin [mailto:[email protected]] Sent: Thursday, February 17, 2011 6:37 AM To: NT System Admin Issues Subject: Re: Registry permissions No, because they will just change them back. Admins are gods, whatever you do. I have never found a piece of software that "needed admin" that I couldn't make work as a regular user. Use LUA Buglight or Process Monitor to track down the offending areas. 99% of the time, it is either file permissions under Program Files that normal users only have Read to, or Registry permissions under HKLM that Users only have Read to. Modify them and you won't need admin anymore. Problem solved. If you don't have the time to track down the offending areas, I have sometimes used CPAU (http://www.joeware.net/freetools/tools/cpau/index.htm) to use a temporary elevation for the user when they launch the application. Then they only have admin "inside" the application, rather than in everything they do. Better than nothing. Cheers, On 17 February 2011 11:16, Nigel Parker <[email protected]> wrote: Hi We have some people who sadly have to be local admins due to the software I would like to change some of the Registry permissions via a login script to stop them being able to change certain settings So give them Read to certain keys etc Is this possible? Nigel Parker Systems Engineer Ultraframe (UK) Ltd Tel: 01200 452329 Fax: 01200 452201 Web: <www.ultraframe.com> Email: <mailto:[email protected]> Please consider the environment before printing this e-mail The statements and opinions expressed in this email are my own and may not represent those of Ultraframe (UK) Ltd. This email is subject to copyright and the information contained in it is confidential and may be legally privileged. It is sent out only for intended recipient(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, any disclosure, copying, distribution or other use or any action taken or omitted to be taken in reliance on it, is prohibited and unlawful. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
