Privilege Manager Community Forum

Ok, this is a somewhat loaded question. I need a Rule to allow Windows 7 and XP users the ability to alter the registry while they remain power users. We have a big issues with Engineers who create install files that need Admin rights to run them and who also use a lot of test equipment and need access to Device Manager (thanks for the elevated Windows 7 Device Manager Rule...works great.). I know this is a hard topic to tackle but it will be nice...right now in Desktop Authority I've created a template in Config Management--Group Policy Temp--System--Prevent access to registry editing tools and have to elements one to allow and one to disallow and validation logic is by Groups. This works fine but I think the user still has to be an Administrator of the local workstation but in XP they do not (those 2 elements one is validation logic allowed group and not allowed of course.) Now my other problem connected to that is that we have a program on a file share that installs through a .bat file you run logged in as Administrator then as the power user. But of course if I don't put that user in the allowed group momentarily to do that install it won't work. Not a big problem but I'd like to elevate it for that install through a rule too...if possible.

So to summarize things. Certain software engineers the ability to edit registry without being admin of computer and basic power users not have the ability to access registry but still be able to install the company wide software on that user's side.

Any help or direction to how to do this would be greatly appreciated.


Thanks in advance.

Floyd

Hello Floyd,

I believe that if you use the Desktop Authority group policy template to prevent access to registry editing tool that it might prevent any users (including those with admin rights or PA elevated rights from modifying the registry).

In general, if you take away admin rights from a user, they will not be able to modify registry (without the need for the Desktop Authority policy). At that point, you could create rules for specific software engineers which would elevate the rights of specified processes to modify the registry.

If your software engineers need to be able to directly modify the registry, you could write a rule to elevate "regedit.exe".
Or, if your software engineers only need to be able to modify the registry via MSI installs, you could write a rule to elevate all instances of "msiexec.exe".
Or, if your software engineers only need to be able to modify the registry via some specific batch file, then you could write a rule for that batch file (for the process cmd.exe with the specific command line arguments for launching the bat file in question).

Does any of that seem to apply to your situation?

~Don

Thank you Don...let me try that and I'll get back to you first thing next week. Much appreciated.