We recently migrated users from a Windows NT4.0 domain to a Windows 2003 domain. Using group policies, we removed users' access to workstations as administrators in order to lock down security.
Now many applications don't work after the implementation of the group policies. The applications had been previously installed while the users had been operating as local administrators.
Is there anyway to correct this through group policy or registry permissions, assuming that you're migrating about 10,000 users? We assumed that every application required a re-install!
Unfortunately many applications are not written correctly. They assume administrator privileges. You may be able to resolve your issues using one of techniques below.
First: When you dcpromo, you have the option to select pre-Windows 2000 compatibility. This option provides broader access to registry and system files for ordinary user accounts by placing the Everyone group in the Pre-Windows 2000 Compatible Access group. If you did not make this selection, you can add it later by adding the Everyone group to this group in Active Directory Users and Computers.
Second: As you may have guessed from the first option, the problem may lie with the attempts by the software to access certain registry keys and system files that only administrators have appropriate privileges for. If you can find which keys and files are the issue, then you can give your users privileges on those keys and files. (v.s. giving them full administrator privileges) to find those keys and files, you can use products such as regmon and filemon from www.systeminternals.
Third: Get the Windows Application Compatibility Toolkit from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/appkit.mspx. This will help you find out what the problems are and fix them.
This was first published in March 2004