Originally posted by OccamAssassin
reply to post by PhoenixOD
This is a stab in the dark as the info supplied is a little vague but it sounds like there could be a module/application dependency that is not authorised.
For example application "A" has dependencies "b", "c" & "d" which it requires to operate. Whilst application "A" may be authorised for use by "user x", the dependent modules/applications/dll's may only be permitted to run by "user y".
You could try running the application in question as root/admin and paste a list of the dependencies into a text file. Then just check them one by one until you find the offending code. Once you know what is causing the grief, you can set a rule for the user to allow the app/module and voila.
Originally posted by okamitengu
arent group policies controlled from a server?
are you working inside a domain? get your user profile elevated to a local admin
Originally posted by PhoenixOD
reply to post by Myth024
Thanks for the reply Myth024. But what im trying to do is work out why the 'basic user' setting in Software Restriction Policy in Group Policy just blocks all access to whatever its applied to rather than force it to run in basic user mode like its supposed to.
Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.
So if you set a rule to for a piece of software (that needs admin privileges) to run as if a basic user was running it and the basic user can't run programs as an Admin, then the program would refuse to run because a basic user can't run the program with admin rights. This also means that you have to check to make sure the permissions of normal users are set that they can execute the program in question. I infer that if you pointed the program to unrestricted, then any basic user should be able to run it without an issue.
Disallowed : Software will not run, regardless of the access rights of the user.
Basic User : Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.
Unrestricted : Software access rights are determined by the access rights of the user.
In Vista I used UAC and software restriction Policy (SRP) basic user to limit elevation. In UAC I only allowed signed programs from safe placed to elevate. This still left me with some internet facing software like Outlook and IE9 (which are signed and installed in Program Files). When I added a SRP to IE9 and Outlook of basic user, this prevented those malware entrypoints to elevate. In Windows7 the SRP basic user acts as deny execute. An updated blogpost on how to use basic user Software Policy Restrictions in Windows would be appreciated.