Have you figured why these programs need admin rights? I have circumvented
many apps by adjusting security on:
Thier program directory ie c:\legapp (users - modify)
their .ini ie %systemroot%\legapp.ini (users - modify)
all users application data allusers\application data\legapp (users - modify)
%systemroot%\legapp (users - modify)
I have even had to give (users - modify) rights on %systemroot% (this folder
only) for a paticular app to run correctly, although I feel it makes a nice
hole for spyware and viri (theese systems are reimaged every summer)
About the only app I have that I have to give admin rights on is on that has
to register dll's via an updater utility.
-----Original Message-----
From: Stegman, William [mailto:Bill.Stegman@transcore.com]
Sent: Fri 1/14/2005 12:01 PM
To: Murad Talukdar
Cc: focus-ms@securityfocus.com
Subject: RE: local admin vs group policy and apps...
If you're using Active Directory, gpo's at the ou level could not be
rescinded by a local admin account. If a normal user logs in with their
domain account, all the site/domain/ou gpo's relevant to that computer and
user would apply. The gpo setting, prohibit access to the control panel, is
only available under the user configuration, and reads that disabling it
prohibits users from starting the control panel. I've tested this and when
you try a runas with the local admin account, the control panel does not
open.
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Thursday, January 13, 2005 10:11 PM
To: focus-ms@securityfocus.com
Subject: local admin vs group policy and apps...
Hi,
We have two apps (even calling them legacy seems to attribute some
undeserved elegance to them) which must run at admin level to function
properly. I am trying to find out whether the fact that users are allowed to
be local admins, or even given the runas power to run the app can still be
locked out of control panel etc through GPOs.
I mean, if I let people runas then they know the admin password so can
rescind any GP settings, can't they? How can I shut that possibility out?
Yes I have asked for the possibility of then apps being recoded to function
under power users but the development team are of the starving waif variety
due to under resourcing...this consideration is not high on the list.
Kind Regards
Murad Talukdar
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
