microsoft.public.windowsxp.security_admin

Thanks Bruce and Lanwench...that was all great info!

--

"Bruce Chambers" wrote in message
news:uQ5qu2PdIHA.2000@TK2MSFTNGP05.phx.gbl...
> geek-y-guy wrote:
>> Hi All: I have an SBS2003 domain with a number of xppro sp2 clients. All
>> the computers are members of the domain, and I've set up domain users for
>> each computer.
>>
>> I have a USB scanner installed on one computer, and when a user logs on
>> to the local machine, they can access the scanner, but if they log on
>> using the domain account, they get an error when the scanner application
>> tries to load the (presumably) USB drivers for the scanner.
>>
>> It seems like a local security policy issue, but I can't figure out what
>> privileges the domain user needs to have the same access the local
>> account has?
>>
>
>
> You may experience some problems if the software was designed for
> Win9x/Me, or if it was intended for WinNT/2K/XP, but was improperly
> designed. Quite simply, the application doesn't "know" how to handle
> individual user profiles with differing security permissions levels, or
> the application is designed to make to make changes to "off-limits"
> sections of the Windows registry or protected Windows system folders.
>
> For example, saved data are often stored in a sub-folder under the
> application's folder within C:\Program Files - a place where no
> inexperienced or limited user should ever have write permissions.
>
> It may even be that the software requires "write" access to parts of
> the registry or protected systems folders/files that are not normally
> accessible to regular users. (This *won't* occur if the application is
> properly written.) If this does prove to be the case, however, you're
> often left with three options: Either grant the necessary users
> appropriate higher access privileges (either as Power Users or local
> administrators), explicitly grant normal users elevated privileges to the
> affected folders and/or part(s) or the registry, or replace the
> application with one that was properly designed specifically for
> WinNT/2K/XP.
>
> Some Programs Do Not Work If You Log On from Limited Account
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307091
>
> Additionally, here are a couple of tips suggested, in a reply to a
> different post, by MS-MVP Kent W. England:
>
> "If your game or application works with admin accounts, but not with
> limited accounts, you can fix it to allow limited users to access the
> program files folder with "change" capability rather than "read" which is
> the default.
>
> C:\>cacls "Program Files\appfolder" /e /t /p users:c
>
> where "appfolder" is the folder where the application is installed.
>
> If you wish to undo these changes, then run
>
> C:\>cacls "Program Files\appfolder" /e /t /p users:r
>
> If you still have a problem with running the program or saving settings on
> limited accounts, you may need to change permissions on the registry keys.
> Run regedit.exe and go to HKLM\Software\vendor\app, where "vendor\app" is
> the key that the software vendor used for your specific program. Change
> the permissions on this key to allow Users full control."
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> http://support.microsoft.com/default.aspx/kb/555375
>
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety. ~Benjamin Franklin
>
> Many people would rather die than think; in fact, most do. ~Bertrand
> Russell
>
> The philosopher has never killed any priests, whereas the priest has
> killed a great many philosophers.
> ~ Denis Diderot