I'm trying to get some software installed on my company laptop (Business Intelligence SSDT for Visual Studio). As a developer, I have administrator rights, and have never run into an issue installing software before. The software has been approved by my company.
SSDI needs to install Microsoft SQL Server Data Tools, which fails during setup due to "Rule 'Setup account privileges' failed." I've traced this issue back to a group policy setting for "Debug programs":
- Local Computer Policy > Computer Configuration > Windows Settings >
Security Settings > Local Policies > User Rights Assignment
In the list of policies, the "Debug programs" security settings does not have "Administrators" listed. And although I am part of the administrators group, I am unable to add groups to this policy.
Is there some way I can "temporarily" disable or remove these group settings, install the software I need, then re-enable everything afterwards? Or better yet - add the administrator group to the policy?
I've seen several options, but I don't want to proceed with half-baked ideas that could affect my laptop's access to the company network.
For example, could I:
- Right-click into my Local Computer Policy > Properties, and select the option to "Disable Computer Configuration settings"?
- Edit the registry to remove group policy settings?
- Create a non-domain user (a true "local admin" user?) that has no GPO restrictions, disconnect from any network, and install the software from there?
Are there risks to the above options that I would not be able to reverse myself? Or are there other better options?
Side note: My first step troubleshooting this was to contact my system admin, who informed me that I should have "full control" over all my local policies, including the "Debug programs". According to him, there should be no permission / group policy restrictions for administrators.
His thought is that the issue is coming from some sort of permission (or as he put it, "sysadmin" access) to our SQL servers, and he would have to reach out to the server team and get back to me in a few days. I have permission to "explore" my own solutions in the mean time.
Answer
As opposed to working around group policy, you might be able to add yourself or the Administrators group directly to the "Debug Privilege" right.
There's a command-line utility called NTRIGHTS which can do this:
Ntrights.exe -u Administrators +r SeDebugPrivilege
NTRights is part of the W2K3 resource kit, but it still works on more recent windows versions. See Windows 7 equivalent for ntrights.exe and http://ss64.com/nt/ntrights.html (I don't have a direct link on where to download it, but with some google sleuthing, or getting your hands on the W2K3 resource kit install, you'd have it).
No comments:
Post a Comment