Jump to content
David Schwartz

Install flag to say it's for ALL USERS?

Recommended Posts

Posted (edited)

I honestly cannot answer any further questions. I just don't know enough about how Windows security works today, or what these brainiacs have in mind with their restrictions and how we're supposed to work. (I guess their viewpoint is like this: When your only tool is a way to impose security restrictions, the whole world looks like a threat that needs to be kept at bay.)

 

I started out with DOS and then Windows 3.1, then I learned Unix Sys V and those U / G / W permissions made sense. And there are the UID and GID bits that you can set to "run as..." the file's UID / GID if needed.

 

But when MS introduced Win NT and the Secured Registry, I never bothered to dig into all of its subtleties. I'm a developer, not a Sys Admin, so as long as I can get my work done, I don't care. When security issues arise, I let the Sys Admins deal with them.

 

At this job, we cannot run regedit. We cannot execute .reg files from the command line (I guess they use regedit). They have provided us with a batch file we can use to peek and poke individual registry entries in part of the Registry, but not subtrees.

 

Most people have one main login and there's something where they can ask for Admin access for 15 minutes, and they have to explain why. When you get approval, you click on something and it does a kind of "switch user" thing. When the 15 minutes is up, it switches back. If you're in the middle of something, it gets all borked-up as the ACLs change mid-stream.

 

Us Devs were issued a separate Admin login so we don't need to ask permission. But it's just a different login that has Admin rights -- otherwise it's unrelated to our normal login.

 

I was told this policy was established so if someone got our normal user login credentials, they wouldn't have any ability to elevate to Admin status from that userid at all.

 

Using my Admin login to install software, it used to work ok in that I could run the apps as my normal userid. But something was changed in the past 6 months so the files it installs and stuff it puts in the Registry can only be accessed (ie, read, not just written) by users who are members of the Admin group -- meaning my normal userid can't even see them. I was able to install Delphi 10.4.2 under my Admin login, but it won't even launch now under my normal userid. It works fine under my Admin login, however, but we're not supposed to use the Admin login for normal work.

 

I had to copy some DLLs into Delphi's bin folder; I switched to my Admin login, copied the files, then switched back. My normal user couldn't see or access the files I just put into the bin folder. I had to have the Sys Admin intervene.

Edited by David Schwartz

Share this post


Link to post

PAM can be used to grant your user account temporary Local Admin rights if supported by policies. That would solve your problem @David Schwartz

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×