Windows Vista Forums
Vista Forums Home Join Vista Forums Donate Vista Tutorials Tags

Welcome to Vista Forums we are your forum to discuss Windows Vista x64 and x86 systems. Whether you need help or just want to post an idea you have on Vista, this is the forum for you.
Register at Vista forums...the world biggest Windows Vista resource Join Vista Forums Now

Go Back   Vista Forums > Vista Newsgroups > Vista account administration

System Administrator vs. Application Administrator

Update your Vista Drivers Update Your Drivers Now!!
Closed Thread
 
Thread Tools Display Modes
Old 02-12-2007   #1 (permalink)
Dave R.
Guest


 

System Administrator vs. Application Administrator

There seem to be a lot of posts about UAC, proper system administration
practices, programming practices, etc., but I haven't yet seen a good
answer to how best to implement a setup where an application
administrator is not the system administrator.

To use an example from another thread, the FamilyAddress program. Mom,
Dad, Billy and Tammy all use the application under their own Limited
User Windows logins. Mom and Dad are application administrators, but
only Dad is a system administrator (under a separate Windows
administrative login). All need to be able to add/edit/delete private
addresses, but Billy and Tammy shouldn't be able to see other users
private addresses. All need to be able to read common addresses. Mom
and Dad both need to be able to add/edit/delete common addresses (or
move a private address to the common area), and as application
administrators can access the private addresses of all users in the
system. To complicate matters, as application administrators, Mom and
Dad need to be able to set global application parameters.

Where, in Vista, can/should you place the data file or files for this
type of application? Where should the global application parameters be
stored?

Please, I'm not trying to troll, bash, flame, belittle anyone or
anything here. I really want to understand how this should properly be
done in Vista and I've not yet seen anything that looks to me like it
would work without modifying the underlying system security / access
restrictions.

Regards,

Dave



My System SpecsSystem Spec
Old 02-13-2007   #2 (permalink)
Jimmy Brush
Guest


 

Re: System Administrator vs. Application Administrator

Hello,

Per-user stores would be stored in each user's profile, while the
per-machine info (such as global addresses and any configuration info) would
be in the per-machine location.

If you didn't add the abstraction for Application Administrator, the default
security settings would suffice.

However, you are correct that you would need to edit the security on the
files to make your scenario work, since Windows has no notion of an
Application Administrator. You would need to create the Application
Administrator user group and then give that user group access rights to the
files/folders that they are meant to manage.

As an alternative to directly using files to access your data and settings
from your main program, you could implement a windows service that manages
the files for your app and then exposes an API for your application (and
other applications) to call and get the data. In this solution, all of the
files could be stored in the per-user location for the service (which should
only allow the SYSTEM or service account access and deny everyone else). The
service would be responsible for determining who has access to what.
However, you would need to be extremely careful that your service does not
introduce any security holes by allowing users or other programs to use your
service to do something that they are not supposed to be able to do.


--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

My System SpecsSystem Spec
Closed Thread

Thread Tools
Display Modes



Similar Threads
Thread Thread Starter Forum Replies Last Post
Account 'NAMED' Administrator vs. 'administrator rights' question FireBrick Vista installation & setup 1 08-08-2008 08:02 AM
Specify Application to Always Run as Administrator Anthony Bollinger Vista security 2 12-11-2007 11:18 AM
system administrator payno0171 Vista account administration 5 06-24-2007 11:10 AM
If I am logged in as administrator why don't programs run as administrator vista? RoaringLambs Vista General 6 06-13-2007 06:17 PM
How can i run a application with Run As Administrator from cmd? dNi Vista account administration 3 02-28-2007 11:02 AM


Update your Vista Drivers Update Your Drivers Now!!

Vistax64.com is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows Vista", the Start Orb, and related materials are trademarks of Microsoft Corp.
© Designer Media 2005-2008