DLL registration without local administrator rights
Home > IT Answers > Security > DLL registration without local administrator ...
NotAnAdministrator
0 pts.
0
Q:
DLL registration without local administrator rights
Security, Servers, Microsoft Windows, Management, Desktop management applications, Business/IT alignment, Software, OS, Desktops, SQL Server, Altiris, DataCenter
Hi there

We create an Excel addin using MATLAB Builder for Excel.

Our IT department has taken away local administrator rights from all users of our addin.

We are able to install the addin using Altiris, but how can we allow users without
admin rights to upgrade to new versions of our addin? To upgrade, they need to register a
DLL(same name every time) and they need write access to a folder called C:SCMBExcelTools.

Would it be possible to permit upgrades using Group Policy? Please point me to documentation/references that describe how to do it.

Thank you very much,

Willem van Schalkwyk
ASKED: Nov 22 2006  11:56 AM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Dipstah
0 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Hello,

We use BeyondTrust Privilege Manager to elevate permissions to applications while the user still has user rights.

snippet from beyondtrust http://www.beyondtrust.com/products/PrivilegeManager.aspx

BeyondTrust? Privilege Manager gives organizations the ability to implement the fundamental security principle of least privilege using native Windows security constructs. This principle is essential not only as a security best-practice, but also to satisfy most security-focused regulatory compliance directives. The principle is defined in the famed ?Orange Book? as follows:

?Least Privilege ? This principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.?

The product is implemented as a true Group Policy extension that allows administrators to attach permission levels to applications. Applications, users and computers are targeted using standard Group Policy conventions and Privilege Manager per-setting filters. Simply specify the application and which security groups should be added to and/or removed from the process token when the application is launched.

Regards
Mike
Last Answered: Nov 22 2006  2:14 PM GMT by Dipstah   0 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

jjuliannc   0 pts.  |   Nov 22 2006  4:00PM GMT

You can register a DLL by using an account that does not have administrative credentials as long as the DLL does not write to the registry or change files in the System32 folder.

That said, updating an existing dll with a new version of the same name with existing keys in the HKEY_CURRENT_USER hive should not be an issue.

The custom folder C:SCMBExcelTools (assuming not “C:Program FilesSCMBExcelTools”) should not be affected by the security level of the logged on user unless the IT admin or through the logon process the folder security is being set restrictive.

Hope this helps.

Aideme

 
0