David Schwartz 426 Posted March 3, 2021 (edited) I honestly cannot answer any further questions. I just don't know enough about how Windows security works today, or what these brainiacs have in mind with their restrictions and how we're supposed to work. (I guess their viewpoint is like this: When your only tool is a way to impose security restrictions, the whole world looks like a threat that needs to be kept at bay.) I started out with DOS and then Windows 3.1, then I learned Unix Sys V and those U / G / W permissions made sense. And there are the UID and GID bits that you can set to "run as..." the file's UID / GID if needed. But when MS introduced Win NT and the Secured Registry, I never bothered to dig into all of its subtleties. I'm a developer, not a Sys Admin, so as long as I can get my work done, I don't care. When security issues arise, I let the Sys Admins deal with them. At this job, we cannot run regedit. We cannot execute .reg files from the command line (I guess they use regedit). They have provided us with a batch file we can use to peek and poke individual registry entries in part of the Registry, but not subtrees. Most people have one main login and there's something where they can ask for Admin access for 15 minutes, and they have to explain why. When you get approval, you click on something and it does a kind of "switch user" thing. When the 15 minutes is up, it switches back. If you're in the middle of something, it gets all borked-up as the ACLs change mid-stream. Us Devs were issued a separate Admin login so we don't need to ask permission. But it's just a different login that has Admin rights -- otherwise it's unrelated to our normal login. I was told this policy was established so if someone got our normal user login credentials, they wouldn't have any ability to elevate to Admin status from that userid at all. Using my Admin login to install software, it used to work ok in that I could run the apps as my normal userid. But something was changed in the past 6 months so the files it installs and stuff it puts in the Registry can only be accessed (ie, read, not just written) by users who are members of the Admin group -- meaning my normal userid can't even see them. I was able to install Delphi 10.4.2 under my Admin login, but it won't even launch now under my normal userid. It works fine under my Admin login, however, but we're not supposed to use the Admin login for normal work. I had to copy some DLLs into Delphi's bin folder; I switched to my Admin login, copied the files, then switched back. My normal user couldn't see or access the files I just put into the bin folder. I had to have the Sys Admin intervene. Edited March 3, 2021 by David Schwartz Share this post Link to post
eivindbakkestuen 47 Posted March 4, 2021 It sounds like your sys admins are working hard to keep developers from doing their work. 😞 Share this post Link to post
Lars Fosdal 1792 Posted March 4, 2021 PAM can be used to grant your user account temporary Local Admin rights if supported by policies. That would solve your problem @David Schwartz Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
