current user rights

Secure Home | Search | About

Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements

Bookmark this page: YahooMyWeb

Yahoo!

Google

Windows Live

del.icio.us digg

digg

Netscape

Subject

Author

Date

current user rights

mkv

07-05-2005

Re: current user rights

Steven L Umbach

07-05-2005

Re: current user rights

Roger Abell

07-06-2005

Posted by =?Utf-8?B?bWt2?= on July 5, 2005, 12:49 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Hi everybody.
i've got a question about current user rights and access.
one of our client has a situation when highly restricted users on the TS 2003
in some cases has to have an ability to modify HKEY_CURRENT_USER\Software
and register one dll (third party application).

an user logon script depends on situation initiates another script (via
runas) which actually makes current user (CU) a member of local admins group.
So now CU is should be able to complete all action but in reality current
session still has to access
to any resource like CU isn't member of local admins group and this is the
question - why Cu still have no rights to modify registry or register dll?

is there any similar to "gpupdate.exe /force" command to refresh CURRENT
SESSION USER RIGHTS ?

Thanks for helpful response.
mkv

P.S.
at the end of a logon script we remove user from a local admins group so all
limitations are recovered.
and one more thing - since this is not our environment please do not advise
to change security and user rights on AD level.

Posted by Steven L Umbach on July 5, 2005, 3:44 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Apparently the problem is that the users security token does not contain his
membership in the administrators group yet. The user would have to logoff
and logon or use something like "runas" to temporarily elevate the users
rights to execute a file but that would require that the user know admin
credentials or you use a third party runas type utility that can encode user
credentials such as the one from Joeware. You can give a user additional
user rights in the Local Security Policy [secpol.msc] of the server without
making him an administrator. Whether or not there is a user right that is
sufficient for your needs, I don't know offhand. You can use the support
tool whoami while logged on as that user to see information about the
current access session token. --- Steve

http://www.joeware.net/win/free/tools/cpau.htm -- link to Cpau from Joeware
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/whoami-o.asp

--- whoami

> Hi everybody.

> i've got a question about current user rights and access.

> one of our client has a situation when highly restricted users on the TS

> 2003

> in some cases has to have an ability to modify HKEY_CURRENT_USER\Software

> and register one dll (third party application).

> an user logon script depends on situation initiates another script (via

> runas) which actually makes current user (CU) a member of local admins

> group.

> So now CU is should be able to complete all action but in reality current

> session still has to access

> to any resource like CU isn't member of local admins group and this is the

> question - why Cu still have no rights to modify registry or register dll?

> is there any similar to "gpupdate.exe /force" command to refresh CURRENT

> SESSION USER RIGHTS ?

> Thanks for helpful response.

> mkv

> P.S.

> at the end of a logon script we remove user from a local admins group so

> all

> limitations are recovered.

> and one more thing - since this is not our environment please do not

> advise

> to change security and user rights on AD level.

Posted by Roger Abell on July 6, 2005, 1:35 am

If you were Registered and logged in, you could reply and use other advanced thread options

If this is a frequent event, their installing software and
registering dlls, then you might just as well let them be
Administrators members since you are after all entrusting
the system to them when you let them install software.

If this is not a frequent event, then just give them a way
to ask to have the software installed that will have a set
expectation on the turn-around time on the request. They
will learn that if turn-around is 3 days, and they need it
on Friday then they need to ask for it before Wednesday.

--
Roger Abell
Microsoft MVP (Windows Security)

> Hi everybody.

> i've got a question about current user rights and access.

> one of our client has a situation when highly restricted users on the TS

2003

> in some cases has to have an ability to modify HKEY_CURRENT_USER\Software

> and register one dll (third party application).

> an user logon script depends on situation initiates another script (via

> runas) which actually makes current user (CU) a member of local admins

group.

> So now CU is should be able to complete all action but in reality current

> session still has to access

> to any resource like CU isn't member of local admins group and this is the

> question - why Cu still have no rights to modify registry or register dll?

> is there any similar to "gpupdate.exe /force" command to refresh CURRENT

> SESSION USER RIGHTS ?

> Thanks for helpful response.

> mkv

> P.S.

> at the end of a logon script we remove user from a local admins group so

all

> limitations are recovered.

> and one more thing - since this is not our environment please do not

advise

> to change security and user rights on AD level.

Similar Threads	Posted
Send current user token to IIS server	August 25, 2006, 7:37 am
User Rights Report	August 16, 2005, 7:40 am
rights new user not working for 100%	November 25, 2005, 6:41 am
About user rights in Windows XP	June 28, 2007, 5:08 pm
find all folders a user has rights to.	August 26, 2005, 2:29 pm
Giving a user certains rights	November 14, 2005, 10:37 am
User with unauthorized administrative rights	December 14, 2005, 9:19 pm
User Rights In Active Directory	January 11, 2006, 12:50 pm
Windows XP Services - User Rights	January 9, 2009, 10:33 am
Give a user rights to change other user's password	May 29, 2008, 4:34 am

The site map in XML format XML site map