Thursday, March 14, 2019

Granting Users Admin Privileges on Specific Applications via GPO Modifying Security Settings

In most corporate IT environments users are not given Administrative Privileges on their work computers.  This can lead to frustration on the part of the IT by having the need to run around and enter administrative credentials for users so that they can update certain software packages.  While there are solutions for software deployment, like publishing applications in Programs and Features, or going as far as using a larger scale system like SCCM.  These deployment methods can often be complicated to configure, and just as cumbersome as physically going to someone's desk and entering the admin credentials.

There is another solution that can be implemented, via GPO or at the time of image creation which can "trick" applications into thinking that users are actually administrators, therefore allowing them to update software on their own, w/o needing to involve IT staffers.  Which is simply giving users "admin rights" to specific folders and registry keys. 

In this post I'll explain how this can be down with Skype via a GPO.


You will be creating a GPO (Group Policy Object) to modify a Folder's (and sub-folders and file's) Security settings:

Create the new GPO and edit its properties and navigate here: 

 Computer Configuration > Windows Settings > Security Settings > File System

 Group Policy Management Editor Eile Action View Help ECON > Give Users Skype Admin Privileges [AD02ECON.UCLAC.UK] Polic Object Name Computer Configuration CA Central Access Policy Policies Software Settings Windows Settings Name Resolution policy Scripts (Startup/Shutdown) Deployed Printers Security Settings Account Policies Local Policies Event Log Restricted Groups System Services Registry File System Wired Network (IEEE 802.3) Policies Windows Defender Firewall with Advanced Security Network List Manager Policies Wireless Network (IEEE 80211) Policies Public Key Policies Software Restriction Policies Application Control Policies IP Security Policies on Active Directory (ECON.UCLAC.L Advanced Audit policy Configuration Policy-based QoS Administrative Templates: policy definitions (ADMX files) Preferences User Configuration Policies Preferences x

Right-click, and select add file, and then browse to the folder whose security setting's you want to modify

dpH SUOI dn aun SUO'I a6ueuv vodxa alsed PPV


Select the folder and click OK


Add a file or folder Md this file or foder to he template: Keepass Password Safe 2 Microsoft Skype for Desktop locales resou rces api 1 -O.dll api -ms-win-core-datetime-11-1 -Odll api I-Odll api-ms-win-core-errorhandling-ll-l-l api-ms-win-core-file-ll-l-odll x Folder: Skype for We New Folder Cancel

A security dialog box will appear, modify the security settings as desired.


Database Security for %ProgramFiles% Security Group or user names: ALL APPLICATION PACKAGES CREATOR OWNER SYSTEM Administrators (OH-126-2\Administrators) Users (OH-126-2\LJsers) Permissions for ALL APPLICATION PACKAGES Fun Control Modify Read and List Folder Contents Read For special permissions or advanæd settings, dick Advanced Cancel x Deny Advanced Apply

Select "Replace existing permissions on all subfolders and files with inheritable permissions" (usually the case), and click OK

Add Object %ProgramFiles% @ Configure this file or folder then Propagate inheritable permissions to all subfolders and fies x @ eplaæ existing perrrussions on all subfolders and files with inheritab Do not albw permissk•ns on this file or folder to be replaced o Edit Security... OK

Your new Security entry should now display in the GP Dialog Box:

x Group Policy Management Editor File Action Mew Help ECON > Give Users Skype Ad Computer Configuration Policies Software Setti ngS Windows Settings Name Resolut Scripts (Startul Deployed Prin Security Settin Account pc Local polic Event Log Restricted System Se Registry File Systen Centra Wired Net— ' Windows t Network Li Wireless N public Key Software R Applicati01 v Object Name ILA Central Access Policy %ProgramFiles% for Desktop




Why is this important?


In a sense what we have done here is given the Authenticated Users group full read/write access to this folder.  Many times this is enough to "trick" the application into thinking that the normal user is actually an administrator.  Therefore they will be able to update this certain application on their own without needing IT support intervention.

Note: (Not in the case of Skype), but some applications will have registry entries in HKLM>Software.  In this case you may need to modify the ACL on the Registry Key for that application in order for it to "believe" that the user has administrative privileges on the machine.


So let's apply the GPO to some machines in a Test OU...

Before: 
Skype for Desktop Properties security Previous Versions Customize General Sharing Object name C:\Program Files (x86)\Microsoft\Skype for Desktop x Group or user names: ALL APPLICATION PACKAGES ALL RESTRICTED APP PACKAGES CREATOR OWNER To change permissions. click Edit Permissions for ALL APPLICATION PACKAGES Full control Modify Read & execute List folder contents Read Write For special permissions or advanced settings. Allow click Advanced OK Cancel Edit Deny Adva nced Apply


Let's run gpupdate /force 

 Command Prompt icrosoft Windows [Version 10.0.17134.523] (c) 2018 Microsoft Corporation. All rights reserved . : \Users\uctpasØ>gpupdate /force

After:Skype for Desktop Properties security Previous Versions Customize General Sharing Object name C:\Program Files (x86)\Microsoft\Skype for Desktop x Group or user names: ALL APPLICATION PACKAGES CREATOR OWNER Authenticated Users To change permissions. click Edit Permissions for Authenticated Users Full control Modify Read & execute List folder contents Read Write For special permissions or advanced settings. Allow click Advanced OK Cancel Edit Deny Adva nced Apply

Let's look at an individual file's security properties inside of the Skype for Desktop Folder:

Skype.exe Properties General Security Compatibility' Deta ils x Digital Signatures Previous Versions Object name C:\Program Files (x86)\Microsoft\Skype for Desktop\Skypeexe Group or user names: ALL APPLICATION PACKAGES Authenticated Users SYSTEM Administrators (DH-126-2\Administrators) Users (DH-126-2\Users) To change permissions. click Edit Permissions for Authenticated Users Full control Modify Read & execute Read Write Special permissions For special permissions or advanced settings. click Advanced OK Allow Cancel Edit Deny Adva nced Apply

We see that the security settings have "trickled down" to sub-folders and files.  Users should now able to Update Skype without needing Admin Credentials or the assistance of the IT Support staff.



Publicado por en No comments:
Subscribe to: Posts (Atom)