RSchwarz
Administrator
FULL CONTROL, the worst permission ever!
Have you ever tried to set up permission for a folder? It's an easy task, user can or can't do something. But when you have to set up permissions for a "non standard program"? Where I work we have 3 programs that are developed by an external society and they don't provide many details regarding folders / registry keys used. Sometime a program starts and works, but a little part of that doesn't work. You can do a test by starting the program with admin's right, if the problem doesn't persist anymore, it means there is a permissions's issue.
You can't assign admin's right to a user because of a program need access to somewhere... so you could assign a full control permission on a folder... but this doesn't mean you resolve the problem. Anyway, full control is not a solution!
Here comes Process Monitor: http://technet.micro...ernals/bb896645 from SysInternals, it's free and it can save you from having problem with wrong permissions.
Once started, this tool can monitor every process running on the machine (it requires admin's right), lucky you have the choice to use FILTERS. Let's say the program which doesn't work is called myprogram.exe and the user is connecting via TS with the username "Buddy". Click on FILTER and select from dropdown list "PROCESS NAME", then select IS and then type "myprogram.exe" (without quotes). Click add and add another one: select USER and then CONTAINS, finally type: "Buddy" (again, without quotes). These two filters are useful but there's still something to do. Add another filter: from drop down select EVENT then IS and then type "ACCESS DENIED" (without quotes), this filter allows you to check ONLY what cannot be used / accessed for a user. Click OK and you should see a blank page because your program is not running. Now open the program and check the Process Monitor log. Maybe you will find something, maybe not. Do the operation with the program that you know it doesn't work, than check again the log. Usually you can find a file or a registry key that is NOT ACCESSIBLE, and under DETAILS you can find "DESIRED ACCESS:" which tells you what kind of permission the program's need. Sometime a program require only READ permission to a registry key, sometime it needs also edit or delete. Understanding if a permission is required or not, it's up to you!
Pay attention to the voice called ACCESS DENIED, sometimes WORDS or OUTLOOK are shown as "ACCESS DENIED" but this doesn't mean you have to unblock them!
Maybe in the next week I will post something more, for now make a try and please... STOP USING FULL CONTROL!
Also check this guide:
http://blogs.technet...d-examples.aspx
Have you ever tried to set up permission for a folder? It's an easy task, user can or can't do something. But when you have to set up permissions for a "non standard program"? Where I work we have 3 programs that are developed by an external society and they don't provide many details regarding folders / registry keys used. Sometime a program starts and works, but a little part of that doesn't work. You can do a test by starting the program with admin's right, if the problem doesn't persist anymore, it means there is a permissions's issue.
You can't assign admin's right to a user because of a program need access to somewhere... so you could assign a full control permission on a folder... but this doesn't mean you resolve the problem. Anyway, full control is not a solution!
Here comes Process Monitor: http://technet.micro...ernals/bb896645 from SysInternals, it's free and it can save you from having problem with wrong permissions.
Once started, this tool can monitor every process running on the machine (it requires admin's right), lucky you have the choice to use FILTERS. Let's say the program which doesn't work is called myprogram.exe and the user is connecting via TS with the username "Buddy". Click on FILTER and select from dropdown list "PROCESS NAME", then select IS and then type "myprogram.exe" (without quotes). Click add and add another one: select USER and then CONTAINS, finally type: "Buddy" (again, without quotes). These two filters are useful but there's still something to do. Add another filter: from drop down select EVENT then IS and then type "ACCESS DENIED" (without quotes), this filter allows you to check ONLY what cannot be used / accessed for a user. Click OK and you should see a blank page because your program is not running. Now open the program and check the Process Monitor log. Maybe you will find something, maybe not. Do the operation with the program that you know it doesn't work, than check again the log. Usually you can find a file or a registry key that is NOT ACCESSIBLE, and under DETAILS you can find "DESIRED ACCESS:" which tells you what kind of permission the program's need. Sometime a program require only READ permission to a registry key, sometime it needs also edit or delete. Understanding if a permission is required or not, it's up to you!
Pay attention to the voice called ACCESS DENIED, sometimes WORDS or OUTLOOK are shown as "ACCESS DENIED" but this doesn't mean you have to unblock them!
Maybe in the next week I will post something more, for now make a try and please... STOP USING FULL CONTROL!
Also check this guide:
http://blogs.technet...d-examples.aspx