Forum: SuRun English speaking RSS
How do you allow control panel for specific application users?
jmp242 (Guest) #1
No profile available.
Link to this post
Subject: How do you allow control panel for specific application users?
If I've got users who are only allowed to run specific applications as Administrator, how do I also allow them to run the Control Panel?
Kay (Administrator) #2
User title: Weltverbesserer
Member since Nov 2007 · 1509 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Letting them run the control panel is a bad idea IMHO. Control Panel is part of Explorer, that means that you let your users run Explorer as Admin.

You could allow them to run "explorer.exe /root, ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}" in XP and in Vista "explorer.exe /root, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}"
this will not allow navigating to folders above the (virtual) control panel folder, but I'm not sure, that this is safe.
jmp242 (Guest) #3
No profile available.
Link to this post
Sadly, we're trying to lock down some hardware development PCs, so we need to let them do add/remove hardware. Do you recommend then just running the applet itself? I was just looking for a bit easier method.
jmp242 (Guest) #4
No profile available.
Link to this post
In reply to post #2
Actually, where is the ini file where I could paste things like that? In the GUI it looks like I can just select a program from the file picker dialog.
Kay (Administrator) #5
User title: Weltverbesserer
Member since Nov 2007 · 1509 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Just paste "explorer.exe /root, ::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}" in the "file name" box of the open file dialog (that appears after you press "Add..." in the users program list) and press OK.
This post was edited on 2009-06-09, 22:24 by Kay.
jmp242 (Guest) #6
No profile available.
Link to this post
Hmmm, I've tried several commands that have spaces enclosed in quotes. Latest example is
"C:\WINDOWS\system32\mmc.exe devmgmt.msc"
but it says command doesn't look right, did you quote spaces... I tried with and without quotes, but no good. Even if I do save it, it gives me access denied ...
Kay (Administrator) #7
User title: Weltverbesserer
Member since Nov 2007 · 1509 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
That's pretty strange as it works here.

What Windows version do you use?
Are you a domain member?
If you start "surun C:\WINDOWS\system32\mmc.exe devmgmt.msc" (without the quotes) does it work?
jmp242 (Guest) #8
No profile available.
Link to this post
I'm using Windows XP SP3. I'm a member of a domain, this is a standard / limited Domain User in an NT4 Domain.

I am also running Comodo Internet Security 3.9, but surun seems to work ok for Firefox for a test program, and it works for running the Add/Remove Hardware applet...
Kay (Administrator) #9
User title: Weltverbesserer
Member since Nov 2007 · 1509 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Ok. If you try to start->run "surun C:\WINDOWS\system32\mmc.exe devmgmt.msc" (without the quotes) does it work?
jmp242 (Guest) #10
No profile available.
Link to this post
I am trying in some shortcuts I have made for this to work. I think I may have figured out how to get it to work (odd though). What I did was:
1. Create the entries for allow as shown:
"C:\WINDOWS\system32\mmc.exe devmgmt.msc"
2. Export the entries (this and the firefox one that did work before)
3. edit the resulting ini in notepad to remove the double quotes:
""C:\WINDOWS\system32\mmc.exe devmgmt.msc""
so that in the ini there was just
"C:\WINDOWS\system32\mmc.exe devmgmt.msc"
and then change
WhitelistFlags section for each to match what was in Firefox
so Firefox was
0=1
I made the other one
1=0
to
1=1
then saved the file.

I then deleted the entries in the GUI, and imported the edited ini file.

Now it seems to work from the shortcut...

Now I'm just wondering why this would work, and if I'm screwing up trying to edit the entries in the gui rather than delete and re-create...

As I'll mostly want to do this as a deployment anyway, I'm ok with editing the ini file - much easier IMO than editing the sudowin XML file as I currently am doing...

Any ideas to do this totally in the GUI would be appreciated, even if it's just get a clean dev system lol!
Kay (Administrator) #11
User title: Weltverbesserer
Member since Nov 2007 · 1509 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
This shows the confusion:
Quote by jmp242:
1. Create the entries for allow as shown:
"C:\WINDOWS\system32\mmc.exe devmgmt.msc"
2. Export the entries (this and the firefox one that did work before)
3. edit the resulting ini in notepad to remove the double quotes:
""C:\WINDOWS\system32\mmc.exe devmgmt.msc""

If you quote C:\WINDOWS\system32\mmc.exe devmgmt.msc, Windows tries to find an executable named mmc.exe devmgmt.msc in the path C:\WINDOWS\system32, but there surely is none.

You must not surround non white space commands with quotes.

C:\WINDOWS\system32\mmc.exe must not be quoted "C:\Program files\anyapp.exe" must be quoted as the path\file name combination contains delimiters (white space).

In my exports I see:
[WhiteList]
1="C:\WINDOWS\system32\tweakui.exe"
2=""C:\Programme\Shell Object Editor\ShellObjectEditor.exe""

This is how it should be.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Not logged in. · Lost password · Register
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Page created in 68.6 ms (44.3 ms) · 88 database queries in 18.9 ms
Current time: 2019-12-08, 03:18:06 (UTC +01:00)