|
Posted by Roger Abell on July 6, 2005, 1:35 am
If you were Registered and logged in, you could reply and use other advanced thread options
registering dlls, then you might just as well let them be
Administrators members since you are after all entrusting
the system to them when you let them install software.
If this is not a frequent event, then just give them a way
to ask to have the software installed that will have a set
expectation on the turn-around time on the request. They
will learn that if turn-around is 3 days, and they need it
on Friday then they need to ask for it before Wednesday.
--
Roger Abell
Microsoft MVP (Windows Security)
> Hi everybody.
> i've got a question about current user rights and access.
> one of our client has a situation when highly restricted users on the TS
2003
> in some cases has to have an ability to modify HKEY_CURRENT_USER\Software
> and register one dll (third party application).
>
> an user logon script depends on situation initiates another script (via
> runas) which actually makes current user (CU) a member of local admins
group.
> So now CU is should be able to complete all action but in reality current
> session still has to access
> to any resource like CU isn't member of local admins group and this is the
> question - why Cu still have no rights to modify registry or register dll?
>
> is there any similar to "gpupdate.exe /force" command to refresh CURRENT
> SESSION USER RIGHTS ?
>
> Thanks for helpful response.
> mkv
>
> P.S.
> at the end of a logon script we remove user from a local admins group so
all
> limitations are recovered.
> and one more thing - since this is not our environment please do not
advise
> to change security and user rights on AD level.
| 
XML site map