locked
Program needs admin rights RRS feed

  • Question

  • We have Steady State in a testing environment and everything seemed to be going well, until we ran into a problem with Quick Tax and Quicken. We have the machines on a domain using GPO and disk protection, and the students who log in are not admins, just normal users. Quicken and Quick Tax need the user who is launching the application to be an admin. We cannot allow the students to be admins on the machines, so I need a way for just those programs to be run as admins and all other programs to be run as normal. If I use "run as" and give the students an admin accoun for this, then they would be able to "run as" other programs or applications in admin mode that should not be run. We cannot set up a shared account or local account as the student will be logging onto the computer throught the domain controller, so I cannot set any restrictions up through that. I hope someone can understand this, and perhaps offer a solution.

    Thanks!
    Monday, March 17, 2008 7:22 PM

Answers

  •  

    Hi,

     

    Thanks for posting here!

     

    I understand that you would like to set non-Administrator account to run Quick Tax and Quicken which needs Administrator privilege.

     

    As you know, SteadyState does not offer such function and it can be complicated to achieve the target, I would like to suggest to use "Restricted Administrator" account as a workaround. This can be completed easily in SteadyState. Let's see if this can fulfill your need.

     

    Creating a Restricted Shared Administrative Account

    For users to run applications that are not designed to run on Windows XP, a restricted shared administrative account can be created for the purpose of operating nonstandard software, such as Internet-based and network-based multiplayer games. Some older educational programs also require more administrative access than is allowed with a typical Windows SteadyState user account with a restricted shared user profile.

    For a list of non-Microsoft programs that do not work with typical Windows SteadyState shared user accounts, see Microsoft Knowledge Base Article #307091 at:                       http://go.microsoft.com/fwlink/?LinkId=83434.

    A restricted shared administrative account is an unlocked user profile in which most restrictions have been removed. This type of unrestricted user account allows access to the increased permissions necessary to run nonstandard applications.

     

               To add a shared user account to the Administrators group on the computer

    1.   Log on as the Windows SteadyState administrator. You must also be logged on as an administrator or a member of the Administrators group to add a shared user account to the Administrators group on the computer.

    2.   Click Start, and then click Control Panel.

    3.   In Control Panel, double-click User Accounts.

    4.   On the Users tab, under Users for this computer, click the shared user account that you want to add to the Administrators group, and then click Properties.

    5.   On the Group Membership tab, select the Other option, choose Administrators from the drop-down list, and then click OK.

     

    After the shared user account has been added to the Administrators group, use Windows SteadyState to restrict the shared administrative account access to all programs and settings, with the exception of the increased permissions that are necessary to run nonstandard applications.

     

    For more detailed information, please refer to SteadyState handbook:

     

    Windows SteadyState Handbook

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D64AF114-336C-4418-BEB7-E074E813B498&displaylang=en

     

    Best regards,

    Tuesday, March 18, 2008 6:50 AM

All replies

  •  

    Hi,

     

    Thanks for posting here!

     

    I understand that you would like to set non-Administrator account to run Quick Tax and Quicken which needs Administrator privilege.

     

    As you know, SteadyState does not offer such function and it can be complicated to achieve the target, I would like to suggest to use "Restricted Administrator" account as a workaround. This can be completed easily in SteadyState. Let's see if this can fulfill your need.

     

    Creating a Restricted Shared Administrative Account

    For users to run applications that are not designed to run on Windows XP, a restricted shared administrative account can be created for the purpose of operating nonstandard software, such as Internet-based and network-based multiplayer games. Some older educational programs also require more administrative access than is allowed with a typical Windows SteadyState user account with a restricted shared user profile.

    For a list of non-Microsoft programs that do not work with typical Windows SteadyState shared user accounts, see Microsoft Knowledge Base Article #307091 at:                       http://go.microsoft.com/fwlink/?LinkId=83434.

    A restricted shared administrative account is an unlocked user profile in which most restrictions have been removed. This type of unrestricted user account allows access to the increased permissions necessary to run nonstandard applications.

     

               To add a shared user account to the Administrators group on the computer

    1.   Log on as the Windows SteadyState administrator. You must also be logged on as an administrator or a member of the Administrators group to add a shared user account to the Administrators group on the computer.

    2.   Click Start, and then click Control Panel.

    3.   In Control Panel, double-click User Accounts.

    4.   On the Users tab, under Users for this computer, click the shared user account that you want to add to the Administrators group, and then click Properties.

    5.   On the Group Membership tab, select the Other option, choose Administrators from the drop-down list, and then click OK.

     

    After the shared user account has been added to the Administrators group, use Windows SteadyState to restrict the shared administrative account access to all programs and settings, with the exception of the increased permissions that are necessary to run nonstandard applications.

     

    For more detailed information, please refer to SteadyState handbook:

     

    Windows SteadyState Handbook

    http://www.microsoft.com/downloads/details.aspx?FamilyId=D64AF114-336C-4418-BEB7-E074E813B498&displaylang=en

     

    Best regards,

    Tuesday, March 18, 2008 6:50 AM
  • Hi

     

    After installing windows xp pr service pack 3 (windows update) on a formatted disk, I have installed some programs.

     

    Everything is ok until I have installed steadystate. I already had an useraccount (with full rights) made during install of windows xp. I couldn't enter this useracount throught steadystate (a message appears, something like : could not enter because it was still in use) then I have decided to create a new profile, without restrictions and password. ( I have realised I couldnt edit one of them, but I have fix this problem (user profile hive cleanup), Before I used this solution I have tried the following: modified permission of the administration account by:

    the Advanced button and click the "Owner" tab.

    6. Select "Administrators" from the list and check the "Replace owner on subcontainers and objects" checkbox.  I could enter the both the profiles to edit them, but after a few time restarting my pc,  The problem came back. Then I used the USER PROFILE HIVE CLEANUP. This seems to work great.


    After restarting the pc, I logged in the the new profile with restricted rights. I tested some programs (accepting license agreements, the first screen of internet explorer: save settings, ...). the following programs had a error:

     

     

    Virtural Daemon Manager v4.10 : registry acces error after I want to make sure that the program starts automatically after starting the pc.

     

    MS word (Ms office is installed  : excel, powerpoint, acces: publisher ): MS word is showing everytime the windows installer after starting this program. the others (excel, powerpoint, ... ) are ok.

     

    SKYPE 3.8:  I got a message ; in skype an error occured, this program has to be closed. I can send a report to microsoft, but If I choose to do, i got the following message (my own words): an active internetconnection needed (which I have) but an errormessage appears after I click on OK : runtime error 216 at 0040450E  .

     

    Other programs are working without any problems:

    windows messenger, realplayer, paltakscene, yahoo messenger, acrobat reader, nero startsmart (I had to give rights to the restricted account for using Nero, but I have used NERO Burn rights in the configution screen (selected : burningrights for everyone). before I have give full rights for Nero in NeroBurnrights, I tested the programm to burn an image. Although I received a message ( Ask you systemprovider to give you rights to burn cds, dvds,.......) It was no problem to burn the image.

     

     

    Once I changed the rights in windows xp  : in stead of restricted profile, I changed it to full administration. this seems to help.

    All programs works as it should.

     

    But How can in a restricted profile, some programs work great and other not? do I really have to give the profile full control to fix the problem. The solution (resctricted administration) that was given to someone else here, could be my solution but I really want to understand how it comes some programs working well, and some not. especially MS WORD with his problem while the other office programs have no problem. Normally these programs don't need administration privilege to execute.

     

     

     

    With best regards

     

     

    Friday, October 31, 2008 12:29 PM