Thursday, March 14, 2019

Granting Users Admin Privileges on Specific Applications via GPO Modifying Security Settings

In most corporate IT environments users are not given Administrative Privileges on their work computers.  This can lead to frustration on the part of the IT by having the need to run around and enter administrative credentials for users so that they can update certain software packages.  While there are solutions for software deployment, like publishing applications in Programs and Features, or going as far as using a larger scale system like SCCM.  These deployment methods can often be complicated to configure, and just as cumbersome as physically going to someone's desk and entering the admin credentials.

There is another solution that can be implemented, via GPO or at the time of image creation which can "trick" applications into thinking that users are actually administrators, therefore allowing them to update software on their own, w/o needing to involve IT staffers.  Which is simply giving users "admin rights" to specific folders and registry keys. 

In this post I'll explain how this can be down with Skype via a GPO.


You will be creating a GPO (Group Policy Object) to modify a Folder's (and sub-folders and file's) Security settings:

Create the new GPO and edit its properties and navigate here: 

Computer Configuration > Windows Settings > Security Settings > File System

Group Policy Management Editor 
Eile Action View Help 
ECON > Give Users Skype Admin Privileges [AD02ECON.UCLAC.UK] Polic Object Name 
Computer Configuration 
CA Central Access Policy 
Policies 
Software Settings 
Windows Settings 
Name Resolution policy 
Scripts (Startup/Shutdown) 
Deployed Printers 
Security Settings 
Account Policies 
Local Policies 
Event Log 
Restricted Groups 
System Services 
Registry 
File System 
Wired Network (IEEE 802.3) Policies 
Windows Defender Firewall with Advanced Security 
Network List Manager Policies 
Wireless Network (IEEE 80211) Policies 
Public Key Policies 
Software Restriction Policies 
Application Control Policies 
IP Security Policies on Active Directory (ECON.UCLAC.L 
Advanced Audit policy Configuration 
Policy-based QoS 
Administrative Templates: policy definitions (ADMX files) 
Preferences 
User Configuration 
Policies 
Preferences 
x

Right-click, and select add file, and then browse to the folder whose security setting's you want to modify

dpH 
SUOI dn aun 
SUO'I a6ueuv 
vodxa 
alsed 
PPV


Select the folder and click OK


Add a file or folder 
Md this file or foder to he template: 
Keepass Password Safe 2 
Microsoft 
Skype for Desktop 
locales 
resou rces 
api 1 -O.dll 
api -ms-win-core-datetime-11-1 -Odll 
api I-Odll 
api-ms-win-core-errorhandling-ll-l-l 
api-ms-win-core-file-ll-l-odll 
x 
Folder: 
Skype for 
We New Folder 
Cancel

A security dialog box will appear, modify the security settings as desired.


Database Security for %ProgramFiles% 
Security 
Group or user names: 
ALL APPLICATION PACKAGES 
CREATOR OWNER 
SYSTEM 
Administrators (OH-126-2\Administrators) 
Users (OH-126-2\LJsers) 
Permissions for ALL 
APPLICATION PACKAGES 
Fun Control 
Modify 
Read and 
List Folder Contents 
Read 
For special permissions or advanæd settings, 
dick Advanced 
Cancel 
x 
Deny 
Advanced 
Apply

Select "Replace existing permissions on all subfolders and files with inheritable permissions" (usually the case), and click OK

Add Object 
%ProgramFiles% 
@ Configure this file or folder then 
Propagate inheritable permissions to all subfolders and fies 
x 
@ eplaæ existing perrrussions on all subfolders and files with inheritab 
Do not albw permissk•ns on this file or folder to be replaced 
o 
Edit Security... 
OK

Your new Security entry should now display in the GP Dialog Box:

x 
Group Policy Management Editor 
File Action Mew Help 
ECON > Give Users Skype Ad 
Computer Configuration 
Policies 
Software Setti ngS 
Windows Settings 
Name Resolut 
Scripts (Startul 
Deployed Prin 
Security Settin 
Account pc 
Local polic 
Event Log 
Restricted 
System Se 
Registry 
File Systen 
Centra 
Wired Net— 
' Windows t 
Network Li 
Wireless N 
public Key 
Software R 
Applicati01 v 
Object Name 
ILA Central Access Policy 
%ProgramFiles% for Desktop




Why is this important?


In a sense what we have done here is given the Authenticated Users group full read/write access to this folder.  Many times this is enough to "trick" the application into thinking that the normal user is actually an administrator.  Therefore they will be able to update this certain application on their own without needing IT support intervention.

Note: (Not in the case of Skype), but some applications will have registry entries in HKLM>Software.  In this case you may need to modify the ACL on the Registry Key for that application in order for it to "believe" that the user has administrative privileges on the machine.


So let's apply the GPO to some machines in a Test OU...

Before: 
Skype for Desktop Properties 
security Previous Versions Customize 
General Sharing 
Object name C:\Program Files (x86)\Microsoft\Skype for Desktop 
x 
Group or user names: 
ALL APPLICATION PACKAGES 
ALL RESTRICTED APP PACKAGES 
CREATOR OWNER 
To change permissions. click Edit 
Permissions for ALL APPLICATION 
PACKAGES 
Full control 
Modify 
Read & execute 
List folder contents 
Read 
Write 
For special permissions or advanced settings. 
Allow 
click Advanced 
OK 
Cancel 
Edit 
Deny 
Adva nced 
Apply


Let's run gpupdate /force 

Command Prompt 
icrosoft Windows [Version 10.0.17134.523] 
(c) 2018 Microsoft Corporation. All rights reserved . 
: \Users\uctpasØ>gpupdate /force

After:Skype for Desktop Properties 
security Previous Versions Customize 
General Sharing 
Object name C:\Program Files (x86)\Microsoft\Skype for Desktop 
x 
Group or user names: 
ALL APPLICATION PACKAGES 
CREATOR OWNER 
Authenticated Users 
To change permissions. click Edit 
Permissions for Authenticated 
Users 
Full control 
Modify 
Read & execute 
List folder contents 
Read 
Write 
For special permissions or advanced settings. 
Allow 
click Advanced 
OK 
Cancel 
Edit 
Deny 
Adva nced 
Apply

Let's look at an individual file's security properties inside of the Skype for Desktop Folder:

Skype.exe Properties 
General 
Security 
Compatibility' 
Deta ils 
x 
Digital Signatures 
Previous Versions 
Object name C:\Program Files (x86)\Microsoft\Skype for Desktop\Skypeexe 
Group or user names: 
ALL APPLICATION PACKAGES 
Authenticated Users 
SYSTEM 
Administrators (DH-126-2\Administrators) 
Users (DH-126-2\Users) 
To change permissions. click Edit 
Permissions for Authenticated Users 
Full control 
Modify 
Read & execute 
Read 
Write 
Special permissions 
For special permissions or advanced settings. click 
Advanced 
OK 
Allow 
Cancel 
Edit 
Deny 
Adva nced 
Apply

We see that the security settings have "trickled down" to sub-folders and files.  Users should now able to Update Skype without needing Admin Credentials or the assistance of the IT Support staff.