Fat Client security to avoid local admin rights

I've been working to try to get a complete list of registry settings (and other things) that need to be opened so that a fat client does not have to have Local Administration rights on the PC (Windows 2000) for logon, packages, etc.

Does anyone have the complete list?

Knowledge Garden document OTI-01-0082 has a good list, and we have employed it, but find that it only works if we initially make the user Local Admin, logon, then remove them from the group. This gets the one client machine working fine, but, doesn't carry over to another fat client for the same Windows 2000 user!

All help is appreciated!

(Intel, Windows 2000 servers and clients, SQL/2000, ERP 8)

1. Sign on to the Terminal Server as Administrator
2. Run the regedt32 program: click the NT Start button, click run,
and in the Open field, type 'regedt32' and click OK.
3. Open the appropriate Registry Key.
4. On the Menu bar, click Security, Permissions
5. Click 'Add'.
6. Select the 'Everyone' group.
7. Click the 'Full Control' check box.
8. Ensure that the 'Allow Inheritable Permissions' box is checked
9. Click OK. Permission to access the registry is granted to all
users


Repeat the above instructions for the following Registry Keys (if they
exist):

[HKEY_LOCAL_MACHINE\SOFTWARE\JDEdwards]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
[HKEY_CLASSES_ROOT]





Colin Dawes, Sr. Technical Consultant
Syntax.net
B733.1 to ERP 8.0
Oracle 8i/9i/SQL Server 2K, DB2

If you use my RegistrySecurityCommander tool (http://members.optushome.com.au/apastuhov) and have a list of computers in a file named "PCList.TXT", you can use the following script to do what you want:

rem =====================================================
rem
rem Copyright ©2002 Alexander Pastuhov. All Rights Reserved.
rem
rem Edit this file to set the User/Group name to grant
rem ALL Access Rights to (defaults to "USERS").
rem
rem Computer Network Names are read from a file named
rem PCList.TXT which must be located in the same folder
rem and contain a list of computers to agjust the access
rem right on (a ";" can be used to comment entries out,
rem the computer names should not have leading "\\"s).
rem
rem Due to the size of "HKLM\Software\Classes" it might
rem take a few minutes per machine to modify permissions
rem on this key, plus it may make the registry file
rem substantially larger if you need to adjust access
rem rights on this key.
rem
rem =====================================================

setlocal
set ACCOUNT=USERS
for /f "eol=; tokens=*" %%a in (PCList.TXT) do @call :GRANTPRIVS %%a %ACCOUNT%
endlocal
goto :eof

::--------------------------------------------
:GRANTPRIVS
RSC52 -m \\%1 -a %2 -r A -t GRANT -c -v -k "HKLM\SOFTWARE\Microsoft\Cryptography\RNG"
RSC52 -m \\%1 -a %2 -r A -t GRANT -c -v -k "HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\TDS"
RSC52 -m \\%1 -a %2 -r A -t GRANT -c -v -k "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths"
RSC52 -m \\%1 -a %2 -r A -t GRANT -c -v -k "HKLM\Software\JDEdwards"
RSC52 -m \\%1 -a %2 -r A -t GRANT -c -v -k "HKLM\Software\Classes"
goto :eof


Regards,
Alex.