Group policy question

So I work for a small (4 person) law firm with a server/domain/active directory setup, and the main lawyer at this firm is pretty concerned about about locking down the computers He really doesn't want his users installing ANY applications on their computers, so none of them have admin rights (he does, of course ).

But there's a little problem. He had me install a program called Timeslips today, and apparently this program requires that the user have admin access to the local machine. I'm not sure why this is the case, but that's what they're saying.

I logged into the machines as the network admin and gave them local admin rights for now, promising this attorney that I'd try to find a workaround.

So that's where I am Is there another way to do this that might get around this requirement from the software? Do you think this software actually requires admin rights?

*edit*

ps- sorry, I just realized after posting this that it doesn't really have anything to do with group policies

Seems strange that something named timeslips would need admin rights.

I have local admin on my work pc. But recently, the company deemed it necessary to add a bit of nannyware which inhibits all access to anything deemed off limits to a local admin. The impression I was given is that it was highly configurable. The one thing I know it made off limits, was reg edits. They talked about making things like adding networked printers off limits. They seem to have found a balance that works.

Monday I'll check to see what that package was.

No. I'd say to uninstall it and find something else. However, you might be able to use a compatibility shim to lie to it.

It might sound like a punch-card system, but it's actually for tracking billable hours and using the results for billing. It's a very common thing in law firms, but these vertical applications can be annoying sometimes and not have the best support.


Thanks, I'd be interested.


Unfortunately, this is probably one of the biggest names in this type of software (from what I've seen), so anything else is kind of a step down.

I suppose I could always remove the admin rights and just see what happens!

Couldn't you just contact the creators of Timeslips and ask them if it's absolutely necessary to run the program with admin rights? If you explain them situation like you have here, I'm sure they'll respond. Maybe even with a workaround.

They claim it's absolutely necessary...

There are some claims on their forums that all it really needs is write access to the registry (probably just a specific part of the registry) and write access to the installed application's directory. Worth trying.

You might also try using a utility like Process Monitor to see if you can match the program's failure with the failure of a specific type of access, and then resolving that access problem.

Also, you might see if a sandboxing program (like Sandboxie or Cameyo) will allow the program to function thinking that it has admin rights when it really doesn't.

Beyond Trust

Don't know if this is the same version, but this doc says users only need change rights to the install folder.

http://www.sagetimeslips.com/~/media/Cat...S2012Readme.pdf (see p.2)



Edit: The security event log might help identify if there's a security privilege the app is trying to use, e.g. does it require permissions to load/unload device drivers or backup files, etc.?

Hmm, that's very interesting. I already have it installed on the computers it needs to be on.

I believe one thing I read/heard was that it needs privileges to connect to Outlook or Quickbooks for integration. But at least two of these installs don't need that capability (or so I think, I might be wrong).