Lowest user permissions, folder redirection and applications that do not run because of a weird profile

I have a goal sometimes of lowest user privileges. Not often enough though. End users have a much harder time installing junk programs if they are not a local administrator. Drive by malware may have a harder time getting installed. My newsgroup buddies JeffM and SusanB have given me clues and tools to work on making users workstation users. As you may know too many vendors say “make the user an administrator” so their application can work. You can use tools like filemon and regmon to see what is really going on when you run an application. Those two tools let you watch what is happening with the files and the registry. I generally know or assume two things for my down and dirty test. The user needs to have full control of the application folder and the HKLM/Software key for that application. OK, that assumption might be stretching how elevated the permissions need to be but that is where I start.

 

I am logged in to the workstation as Administrator. Well I might be logged in as a domain administrator but usually I log on as administrator. I then go in to Control Panel/Add-Remove to uninstall any “junk” that either came with the workstation or the user installed. Junk is subjective but Google Desktop, Yahoo toolbar for IE, screen savers, shopper stuff and anything else that I have been bit by in the past. I delete temp files from all the users, delete their IE temp files and do a defrag. I might scan for malware, spyware and viruses if the machine is working weird. That is just some of my housekeeping 101 I do.

 

I go to My Computer, right click and Manage. I go to local users and groups. I look at the administrator group and remove anyone who should not be in there.

 

I then log on as the worker bee and let them work. If everything is working well, great. The registry and folder permissions worked every time for me. I have heard application tech support say to me that the user needs to be an administrator. My reply is “How is your Vista development going?” I have 4 third party doctor office software packages I work with regularly. I do have to call in on occasion. Sometimes I hear that administrator nonsense which I explain away.

 

So every Jim story has a long story it seems. I did this last week for E-Mds. It worked fine. The short story was that a user could not scan in E-Mds unless the workstation log in was a domain administrator log in. I did my registry and file permissions. We logged in as the user that usually sits at the workstation and did a test scan. Things worked great. I get a call a day later and it is not working. I click away trying to find out why and get no where. I call E-Mds support and we start working on things. I happen to like their support. The folks are friendly and we always solve the problem, usually pretty quickly. Well today was not a quick call. We click around and nothing helps. I set the local workstation administrators to domain users and that did not help. That should have eliminated any folder permissions issue on the workstation. I opened notepad and did some save as to the folder on the server that the application uses. That should eliminate server folder issues.

 

I create a new user on the domain. I log on to the workstation as the new user and E_Mds scanning works fine. That eliminates the workstation and the server permissions. It is down to the user. In the past I have deleted workstation user profiles when something odd just keeps biting me. Almost always seems to work. It did not this time. I had the same issue when I logged back on as the problem user. I did see that the user was having a new profile built as it took a few minutes for the first log in to happen. I inherited the SBS so I am not positive about everything that has been done. I saw no sign of desktop redirection or user profile redirection. I did have My Documents redirection though. I looked in the user’s folder on the server and I saw nothing weird. That is not true. I did have an issue saving a shortcut to her folder but I could create new txt file to her user folder. While she was logged off I renamed her folder 1aajohnson. I made a new aajohnson folder and set the security permissions correct. I logged on as aajohnson and E-Mds scanning worked fine. I copied all of her documents over from her old folder to her new folder. Everything still worked fine.

 

So the take away. Not only can you get bit by a weird local user profile but a redirected user folder.


 

Leave a Reply

Your email address will not be published. Required fields are marked *