Windows 10 Pro: allow standard user permission to run application but not modify folder

1

EDIT! Please confirm/deny the proposed solution, below.

Background:

A small business accounting application is installed in the c drive of a laptop running windows 10 pro. Two standard users from two different cities, say A and B, need to use the application (not necessarily concurrently, although that would be nice). I am located in city A and offered to help out; I have ready access to the laptop. The user in city B has her own computer, also running windows 10 pro. I am thinking of using the built in windows utilities to establish a vpn and through it remote desktop access for the employee in city B to laptop A.

Problem:

On the laptop in city A, I have created an administrator account, admin, and a standard account, test. I have been unable to grant test permission to run the application but deny test permission to modify the contents of the application folder on the c drive. This is necessary: it is suspected that the person in city B has wiped important company data in the past, but she is presently the only person at the company experienced with the accounting application.

Questions:

How do I grant a standard user permission to run an accounting/database type application, but not grant that user permission to delete files associated with that application using the file system? (I can deny her permission to delete application data from within the accounting application by modifying her permissions as an accounting system user).

Note:

This specific permission question is related to this general solution structure question.

entprise

Posted 2017-05-15T15:28:01.277

Reputation: 117

Question was closed 2017-05-17T20:04:11.297

@Ramhound The only permissions I see are modify, readExecute, listContents, read, write, and special. Furthermore, when I restrict permission to test, that user either gets an error message when clicking the shortcut or the application terminates after the splash page. – entprise – 2017-05-15T15:38:23.127

What do you mean by "grant a standard user permission to run an accounting/database type application"? i.e. what's stopping them already? – None – 2017-05-16T05:38:44.047

@FleetCommand. Nothing as of the time this post was written. The point was that I needed to deny permission to the application folder so it and its contents cannot be deleted, without denying permission to the executable. But, I believe I accomplished this: see the potential answer, below. – entprise – 2017-05-16T12:26:39.280

Answers

-1

@Ramhound's comments suggested I take a closer look at the permissions. It seems that, by denying permission to listContents for the folder containing the application, attempts to open or even delete the folder itself require administrative permission, while the application and shortcut still seem to work.

Please let me know if there are any huge and obvious security risks in doing it this way. Otherwise: solved.

entprise

Posted 2017-05-15T15:28:01.277

Reputation: 117

Asked: 2017-05-15T15:28:01.277

Viewed: 193 times

Active: 2017-05-16T12:53:24.830