Bad boy Warrior Posted June 29, 2010 Share Posted June 29, 2010 I know this question has probably been asked before but the solutions ive read so far, either doesnt fit our scenario or i may not know how to go about certain areas... so any links to external source/help where i could try would be good.I have an application that has been deployed to some users. I need to change a file within the program files directory. Of course standard/normal users dont have access to this directory to make changes.I have a vbs script that makes these changes but when deployed to users the error "Permission Denied" is listed. I looked at File System with AD Security GPO but the file is not on my system so not sure how i should go about configuring this without the app on my system (remember the app is only on users system). Any other "easy" way to execute this batch with elevated permissions (without having to add everyone in Domain admins and then remove this permission once done)? All users are running Win XP.Thanks Link to comment Share on other sites More sharing options...
cluberti Posted June 29, 2010 Share Posted June 29, 2010 Would the users have access to credentials that they could input to elevate the script if prompted? Otherwise, you're making the users admins or removing restrictive permissions on the program files folders; those are your options. Link to comment Share on other sites More sharing options...
Bad boy Warrior Posted June 29, 2010 Author Share Posted June 29, 2010 (edited) Is it possible to make them local admins rather than domain and remove this once done? I know the script allows something similar to this but trying to ensure no user interaction is required? Edited June 29, 2010 by Bad boy Warrior Link to comment Share on other sites More sharing options...
cluberti Posted June 29, 2010 Share Posted June 29, 2010 Yes, but a group change requires a logoff to take effect. This isn't easy to script, either.The real question is, why does the user need to make a change to a file in Program Files? Can this be done via a script run from another management tool that runs as admin? Link to comment Share on other sites More sharing options...
IcemanND Posted June 29, 2010 Share Posted June 29, 2010 Run as a startup script via AD GPO?Use the preferences in a GPO to change the file permissions. If you need the file on your machines just copy from another machine and make the appropriate folder structure to hold it. No need to install the app. Link to comment Share on other sites More sharing options...
cluberti Posted June 29, 2010 Share Posted June 29, 2010 That would be my suggestion - machine startup script, or loosen permissions right down to that specific location on the box and live with the reduced security. Apps that require users to write to protected areas of a machine should be thrown out as soon as possible anyway, or at least the developers drawn and quartered in public, and then replaced with competent ones that care about security. Link to comment Share on other sites More sharing options...
Bad boy Warrior Posted June 29, 2010 Author Share Posted June 29, 2010 Apps that require users to write to protected areas of a machine should be thrown out as soon as possible anywayThat answers why i have this issue. Once users get hooked onto an app they dont let go. Itll have to go down the machine stratup script.Thanks everyone Link to comment Share on other sites More sharing options...
cluberti Posted June 29, 2010 Share Posted June 29, 2010 NP . I'd still quarter the devs... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now