Thanks for all the suggestions everyone, this may help me a lot. The underlying application is, of all things, an Excel plug-in that imports out to a third-party app called Vision. I have opened a call with their support team to try and find out why this function needs admin access. I blatted Change permissions for the Users group all down the c: drive of a test server, gave them various flavours of user rights they don't normally have, edited a few registry permissions, still no dice. I really need to find out whether the access rights are applying to the local machine or the database server that it connects to over the network. it doesn't help that we have things like AppSense Application Manager running which only allow certain things to execute from network drives, which could potentially be adding to the mix.
I think I may give some of these free RunAs alternatives a try to see if I can conceal the password in the short term, and hopefully application support may be able to tell me what perms/rights I need to tweak so ordinary users can run the damned plugin. Cheers, 2008/8/7 Miller Bonnie L. <[EMAIL PROTECTED]> > Maybe one of these? > > > > http://www.commandline.co.uk/sanur/ > > > > Have you tried running filemon/regmon to see if it really needs admin > access? > > > > -Bonnie > > > > *From:* James Rankin [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, August 07, 2008 8:55 AM > *To:* NT System Admin Issues > *Subject:* Re: Access token update > > > > You appear to be right, just tried it and no joy. > > > This is a real pain in the backside for me and is going to be one of those > ways that end-users end up with administrative rights - in this case, not on > their local machines, but on a terminal server. Unfortunately I can't see > any way around it other than writing some sort of custom "admin wrapper" > that lets a program execute like RunAs but without allowing any access to > the password. > > If anyone else has any ideas or tips I'd be glad to hear them :-) > > 2008/8/7 Krishna Reddy <[EMAIL PROTECTED]> > > I don't think so. I believe that local groups are evaluated at login. > > > > Thanks, > > > > Krishna Reddy > IT Manager > Nucomm, Inc. > > > > > ------------------------------ > > *From:* James Rankin [mailto:[EMAIL PROTECTED] > > *Sent:* Thursday, August 07, 2008 9:44 AM > > > *To:* NT System Admin Issues > > *Subject:* Re: Access token update > > Thought about that, but they would have to have access to the admin > password, which makes it kind of a non-starter > > > Having said that, if a user is already a member of a group, if they are > logged in, and you add their existing group to local Administrators, will > they pick up admin rights without logging off? > > 2008/8/7 Ken Schaefer <[EMAIL PROTECTED]> > > Runas? > > > > Cheers > > Ken > > > > *From:* James Rankin [mailto:[EMAIL PROTECTED] > *Sent:* Thursday, 7 August 2008 8:58 PM > *To:* NT System Admin Issues > *Subject:* Access token update > > > > Is there any way to update a Windows user's access token without logging > off? I have some really ancient export function that seems to require > administrator rights to run successfully, but my users will receive a > different desktop (i.e. without any of their applications) if they have to > log out and back in when they are given elevated rights. My research seems > to indicate that the answer to this is a resounding no, but I am hoping > someone knows something I don't :-) > > TIA, > JRR > > > > > > > > > > > > > > The information contained in this email and attachments to this email are > the proprietary and confidential property > of Nucomm, Inc. The information is provided in strict confidence and shall > not be reproduced, copied, or > used (partially or wholly) in any manner without prior, express written > authorization of Nucomm, Inc. > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
