Posted by: kurtsh | November 20, 2006

INFO: “Running apps on WinXP when users have only user-level access”

Someone I know asked me this question recently:

"What do I do with an application that won’t run for users that don’t have admin rights?" 

A good place to start is this webcast:
How to use Microsoft Application Compatibility Toolkit 4.0 to manage application compatibility on Microsoft Windows:  http://support.microsoft.com/kb/895129

I had a lot of this archived from back when we released SP2.   The bottom line is that there’s numerous solutions to this.

  • 3RD PARTY SOFTWARE
    The easiest "shortcut" is to use MASTsoft’s "RunAs Professional" which allows end users to run specific applications under admin privileges using an encrypted password using an encrypted "execution profile"  http://www.mast-computer.com/c_9-l_en.html.  The key is that the profile is locked to just that applications.  ($300 for 50 users, 1 user for $10)  I actually don’t know anyone that’s done this because it’s not something we recommend generally.
  • DOCUMENTATION
    There’s a long article about this in Technet Magazine.  We have a long article about resolving Least Privilege User Accounts called "Problems of Privilege:  Finding & Fixing LUA Bugs" which involves using the ACT4.0 and generally "loosening privileges for specific reg keys & files" that you can propagate using.  A discussion of .INI file mapping key we have for compatibility is in here as well.  http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/
  • COMMUNITY
    Then there’s the community.  There’s an entire online site for this exact problem out there called "NonAdmin" with a lot of fixes and resolution pointers that’s partially manned by several friends of mine at Microsoft.  http://nonadmin.editme.com/
  • VIRTUALIZATION
    You can also virtualize it.  There’s always running the application within Virtual PC. 
  • ENTERPRISE COMPATIBILITY SOLUTIONS
    PolicyMaker Application Security provides an enterprise management solution for this as well.  It’s possible to tweak privileges for specific applications during runtime while the user is in LUA using Privilege Manager (formerly Policy Maker Application Security from DesktopStandard).  The tool does not work with Active Directory Group Policy unless you license it however it works for local accounts from what I understand.  Privilege Manager is now available from BeyondTrust and is not part of the Microsoft acquisition of DesktopStandard. http://desktopstandard.com/PolicyMakerApplicationSecurity.aspx

Here’s a few additional articles on the topic.


Categories

%d bloggers like this: