Good to know ... I did try the folder permission technique, but it appears
there is a registry update ... local admin acct, of course, works.

OTOH, the students do not *know* that this "special" account may also do
other things they normally aren't able to do ...to them its just another
account..

Only a matter of time until they discover the forbidden fruit --- am I being
paranoid ? It seems silly to compromise the built-in security of XP .. the
tail wagging the dog ?

Bill

-----Original Message-----
From: School Information Technology Discussion
[mailto:[log in to unmask]]On Behalf Of John Carolin
Sent: Friday, May 26, 2006 10:12 AM
To: [log in to unmask]
Subject: Re: software installation, local permissions, licensing


Legacy Apps on an XP machine.  Always interesting...

Other than using XP local admin permissions, (which we typically give
teachers), we end up "fiddling" on an app by app basis to enable student
access.  As was stated earlier, if the app requires a registry write,
all bets are off.  However, we have seen that some apps only require the
ability to write to a file or folder specific to that app.  Often times
this is the folder the app installed to.  In an attempt to minimize
compromising XP restrictions for students, yet allow the app to run, we
change the security permissions on the app's folder only, to allow all
users full access.  This seems to work more often than not, and still
keeps us more or less within our workstation security structure.

Hope this helps, and good luck.
John

-----Original Message-----
From: School Information Technology Discussion
[mailto:[log in to unmask]] On Behalf Of Bill Clark
Sent: Friday, May 26, 2006 9:49 AM
To: [log in to unmask]
Subject: Re: software installation, local permissions, licensing


I ran into this plm with the library computers running a great legacy
vocabulary program. It required local admin status for the user in order
to run the app successfully.

I needed to create a special user account which had local admin rights,
to allow students to use the app. As long as they login with that
username and password, they can run the program.

Tedious to say the least.

So, I wld like to know if there is a better way to successfully run
legacy apps on an XP machine ..

Bill CLark
Austine School for the Deaf



-----Original Message-----
From: School Information Technology Discussion
[mailto:[log in to unmask]]On Behalf Of Vince Rossano
Sent: Friday, May 26, 2006 9:06 AM
To: [log in to unmask]
Subject: Re: software installation, local permissions, licensing


>
>
>>>> [log in to unmask] 5/25/2006 4:22:35 pm >>>
>Just looking for advice from others about the advisability of making
people local admins (are there any steps between
>power users and admins?) and how people with a mixed or laissez-faire
installation policy deal with licensing issues.

At Montpelier, we have a "lazy-faire" policy.  In other words, we're too
lazy to run around to everyone's machine anytime some non-certified app
wants updating, so we've just decided to live with big security holes
hoping that, in the long run, we'll put in less time fixing user
screw-ups than running back and forth doing normal system operations.
Hence, we give our users who have their own workstations (which students
do not have access to) Power User or, more often in fact, admin rights.
NB: I do not recommend this to faint-of-heart network administrators;
it's only for negligent risk-takers like me.

More seriously, we run a lot of legacy apps, which just won't run for
someone with basic user privileges.  For instance, they might have an
.ini file that needs to be written to each time they run or some such
anomaly.  Power User status seems to solve most of those problems, but
not all, so we go all the way to Administrator for most users.  I've
found, as far as security is concerned, the difference between Power
User and Administrator is not nearly as great as that between User and
Power User.  Once you to go to Power User, it isn't that big a leap to
Administrator.  (You mention not writing to the registry, but it's my
experience that Power Users can write to the registry.  In fact, Users
can write to the registry, but only to the volatile "HKEY_CURRENT_USER"
section.)

I don't believe there is anything between Power User and Admin in XP,
but I hear Vista's Power User group will have much more granularity.
However, I believe that will mean giving them fewer rights, not more.
That could make the group more acceptable to network managers that
aren't getting smart and moving to Linux on the desktop.

As for unauthorized/unlicensed software, despite our threats of knee-cap
breaking, some of our users will go ahead and install their own
software.  When we catch them, however, we feel free to re-image their
machines taking with it any files, favorites, etc. that are stored on
the local machine.  But, actually, we don't have a lot of violations of
this kind.

Vince
--

Vince Rossano
Information Technology Director
Montpelier Public Schools
Montpelier, VT 05602

(802) 225-8690