How to run specific programs as Administrator with no user interaction

Posted on 2005-04-04
Medium Priority
Last Modified: 2012-05-05

I have an AD Network, all my clients login to workstations with these credentials. They are DOMAIN USERS and not Administrators.

I have a program taht I've installed on all the workstations. However, it's giving me difficulty since my employees can't access the program unless I "run-as" with administrator credentials.

Is there a way i can have ONE program run always with administrator credentials? Like a permanent shortcut or something?

admin:password/rest.exe or something? i dunno.

Question by:ubers0ldat
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
  • +7
LVL 16

Expert Comment

ID: 13703117
It depends. Is the executable on a network share? If so the Domain Users group may need higher permissions for that folder and it's subfolders.

If the file runs locally, the executable will need to be in a folder that has elevated permissions or the user needs to be added to the local pc's power user or administrators group.

Expert Comment

ID: 13703910
What version of windows are they using? if it is XP is it home or pro?

Author Comment

ID: 13704511
XP Pro
WordPress Tutorial 2: Terminology

An important part of learning any new piece of software is understanding the terminology it uses. Thankfully WordPress uses fairly simple names for everything that make it easy to start using the software.


Expert Comment

ID: 13705885
since you are running on a Active Directory domain you should be able to create a AD shared link made by the domain administrator and set the shared link to open the specified program and allow all users or just the specified users to access the link. In doing so it should run as administrator, if not I might have one or 2 more possabilities.

Expert Comment

ID: 13708410
We run a program to utilize the same methods. Create an AD Group, assign the program service account to that group, add that group into the local administrator's group in each PC(via scripting). When the program attempts to run, it can run with ADMIN privliges.

Expert Comment

ID: 13708442
Also, first try to add Domain Users to the program folder. Set to Modify or Full control permissions. This restricts the "Admin" privliges to just that folder.
LVL 12

Expert Comment

ID: 13708773
Keep "Administrator" out of the picture; that is the local machine's built in account for the computer.  A group of administrators is fine, with no one named "Administrator"  Admin or Domain Admin privileges should propogate across the network without having to install on every machine.  You can run the program as either privileged from either the server or on client machine.  If you run it as a service, you don't have to worry about who can call it, as the system itself can call it.  It would probably work out better if you figured out how to start it as a service, even on client machines.

Systems Management Server [SMS] itself does exactly the same thing you are describing and may be helpful in figuring out how to do the same.

In fact, SMS could install it on all machines with the permissions you want and without any need for a password to be applied anywhere in "plain text" as your example above would do:

"admin:password/rest.exe or something? i dunno."

It should probably run as a service which can be called by clients with proper credentials, i.e., permissions.

Expert Comment

ID: 13709931
Have you tried a .BAT file approach; the BAT file contains RUNAS with the /savecred option, and will be executed by the users.
Wondering out aloud, would a shortcut with the RUNAS command (instead of the BAT file) suffice?

saving the creds locally would be another nut to crack :-?

Expert Comment

ID: 13711910
I would look at why the app does not work as a basic user....
On a test box give everyone full control over the entire registry. Re-test as user.
If this doesnt work do the same on the c:

This should give you an idea where the permissions are required.
You can then run regmon or filemon (do a search in google for these) to find what is that the app requires access to. Then simply give users the appropriate permissions on that file/reg key.

Up to you whether the problem warrants such work.

Another way is to create an exe via VB to start the app under the context of an elevated account.

Expert Comment

ID: 13712528

This might help you:

Right click on desktop and create new Shortcut. Point shortcut to the executable of the program you need to run.

When shortcut is created right click icon and goto properties.

In the Target Box type:            

            C:\windows\system32\runas.exe /savcred /user:<DomainName>\administrator “<File Path of your program>”

When you run your program you will need to enter the administrator password, but the savecred command will then remember it.

Good Luck




Expert Comment

ID: 13713502
When you say the you can't access the program, exactly what do you mean ie

You try to start the program and nothing happens at all.
You get an error message.
the program starts but doesn't function properly.
What is the name of the program?

Author Comment

ID: 13722626

i've attempted some of your ideas, and find them all to be a little "make-shift."

Some more details:

The program name is AttendanceRX network. When clients try and open the application (which they SHOULD have access to,) it says something along the lines as: "You do not have proper permissions to execute this." (Or something like that.) The program refuses to open unless i use "runas."

Currently, I've made a shortcut whose target is the runas command. It works exceptionally well. However, i want the program to open NO MATTER WHAT. If for instance, they're asked to enter the Admin password, they wouldn't be able to, and wouldn't be able to get paid for that day. I need a completely solid solution.

When i tried adding that command to my logon script, It didn't work like it worked with the shortcut. It simply kept repeatng the same command over and over again with no apparent end.

Why does the shortcut work, and not the logon script?


Could it be the space between Attendance and RX? If so, how do i terminate it?

C:\windows\system32\runas.exe /savecred /user:administrator "C:\program files\acroprint\attendance rx\arxrun.exe"


Author Comment

ID: 13722632
Increased point value
LVL 12

Expert Comment

ID: 13728976
It works with the runas from your command because you are either the owner or have execute permissions.

It would be so much easier if Windows had chmod structure permissions.

What you really want is an Access Control List that requires a logon  to run the program from a group that includes only the users who you want to be able to run the program.  And in the permissions for the program itself, you want to add this group.  They do not have to be admins.  

If you read the Microsoft documentation, probably Networking File Permissions, and Group Policies, you will see that this is the proper way to do it.  As Network Administrator, you should be able to force any client's permissions, from anywhere, as well as any Group's permissions and/or policies.  The program itself will check to see if "it" has permissions to run and execute "by Group."  There is no need to give anyone administrator privileges; that's the purpose of Groups and Policies.

Forcing run locally is another question.  If it is a true "network" program, that is, you have the proper software license to run it in a network, then you should have the options to install locally as well as run locally per defined user.

Bat files and run as are completely backwards from how a secured program should be run.  Once someone were to get ahold of the script, it could be compromised, as well as your admin account.

And run as means they now have a program that they are running as an admin, with full admin privileges.

If you look at Netmeeting,which runs as a service, under Computer Management, Services, you can see some examples; profile, log on as Local System Account with Allow service to interact with desktop and so forth.  While things such as MSSQL will have Log on as This account and a username and password.

This is precisely how Windows manages who can run what.

Unfortunately, the XP team is a late term joinder of the winning NT team and the leftovers of the Win95 team.  NT was fine and permissions were based on the more refined networking of Unix and Linux, i.e., it has lots of permissions options even on client machines.  But with XP, it seems to have reverted to the pictograph approach of Win95 and the commands have been replaced with pictographs and simpleton phrases like "share this folder on the network" instead of an indepth approach to security policies.

But at the server, you should still have full control of user management and User Manager.  It is here that you set the policies after creating users and groups.

I would suggest you create a Group like "Employees" or "ClockedIn" and add the clockpunchers then give them permissions, there and in the program, to run as interact with desktop.  That seems like the logical solution, but you will probably have to test and refine it some.


Expert Comment

ID: 13734127
use schedule task and set that application to run as administrator. The user will run that schedule without admin user or password.

Author Comment

ID: 13757965
Gin Eric:

Could you walk me through somethign like that? I did a few quick searches on google and printed out some information regarding Access Lists, however, it seems a bit overwhelming for me. Thanks!
LVL 12

Expert Comment

ID: 13759912
:(  you mean I have to work on the Windows Server?

Just kidding.  The Access Lists are probably too technical.  What I meant by this "What you really want is an Access Control List . . ." is that you want to create these lists using the GUI tools you have available, such as User Manager, Group Manager, and the associated Policies and Trusts.

Okay, you're running "XP Pro."  Start | Administrative Tools | Services

Look for your program.  If it's there, right click on it, then select Properties.  Let's take Apache2 and SQLExecutive as examples.

First, Apache2 is run under the Log On tab as Local System Account while SQLExecutive is run under "This Account" with a username and password with confirm password.  What this means is than anyone who even tries to call Apache2 probably can, but anyone who tries to call SQLExecutive will be prompted for a username and password.  You must also require complete logons for every call.  That means, disabling "remember password" and all the other insecurities that too many people use!

All access to all network programs should require authentication.  Using "remember me" and/or "remember password" makes your computer immediately available to anyone who can walk up to it, or, login remotely.

By that, I don't mean every local program should require it, just the critical ones, your PC Administrator account, your PC account, and so on.  That is why these computers come with multiple accounts, to keep them private.

For running programs specific to only certain users, you first must know if they are on a local PC or on a Server.  While XP Pro is considered a simple PC, it can be a server, as in Apache, FTP, and so on.  This breaks down programs and services into three types:

01.)  Local System
02.)  Local Service
03.)  Network Service

Apache2 runs as a Local System, but is actually an httpd network service.  However, it is run from the PC, i.e, the Local System.

MS SQL is a Network Service all the way.  However, this too can be run on XP Pro.  At install, it shoulb be installed as a Network Service, requiring a username and password.  From thereafter, MS SQL Security Manager is used to define the Access Control List, that is, who can log into the MS SQL Server Database, and with what specific privileges.  MySQL, which works on XP Pro is similar, if somewhat harder to install and configure.  MySQL comes, erroneously I think, with the default that it runs as a Local System Account.  Many programs make the same bad assumptions, breaking their security.

A Local Service, such as TCP/IP NetBIOS Helper runs as NT Authority\LocalService

The differences are not all that vague:  Local System - anyone on PC, Local Service - the Operating System runs it as NT Authority at PC, Network Service - requires username/password to run with a valid Network Username and Password runs from the server even when that server is the local PC, but, it is called by clients on the network.

The first question is, are you allowing anyone on your PC to run this program, with authenication, or, are you allowing anyone on your network to run this program remotely on your PC server, from their PC?

If the program you want to run is on just one PC, your server, then, like MS SQL and MySQL, they must authenticate to your PC.  If the program you want to run is on another PC, then they must authenticate to that PC and possibly to the network, i.e., your PC as the server.

Secondly, there is a Server/Client applications relationship.  As with programs like MySQL, there must be a MySQL Server daemon running at the server, and there must be a MySQL Client program running at the client machine, even if that client machine is also the Server machine.

MySQL is a much better example than both and learning it would help you a lot.  It is extremely secure, out of the box, for XP.

Before we "walk through" this, see if you can find AttendanceRX in Services and see what that says first.  You will most probably have to create a group and add specific users to that group, then set the access to the program for the group.  Then we'll try to set up a Group, perhaps two, or three - Clocked, NoClock, NoWorkHereAnyMore, see what I mean?

Start | Administrative Tools | Services | AttendanceRX | Properties

LVL 12

Expert Comment

ID: 13770204
Okay, I'm on the Windows Server [with my fingers crossed!]

Looking over AttendanceRX documentation, this software is fairly comprehensive.  You have a Supervisor's list, which requires a login, and each employee has a pin number and is logged in when his computer is logged in [punched in], and logged off [punched out] when he logs off of his computer.  There is also an ability to require and actual fingerprint to identify employees.

I would think that such a program would A.)  Install itself as a Service and B.) be require to install as some user, such as AttendanceRX itself.  It seems fairly business, security, and cost effective conscious.  Therefore, although not obvious, the requirement for a login to run should be equal to a user logging into his computer and the program autostarting to ask him to actually put in his pin number to clock in.

If an employee is prone to leaving the computer on, say while on long breaks, you can set the logout period to maybe one half hour of inactivity, at which point, he will be automatically punched out and logged out.  Should he notice this, you just get to say "Well where were you?"  Kind of catchy, ain't it?

Boy, I could use that one as a good joke on the IT guys!

You should review how the program was installed, and check to see if it is running as a Service, which it should be.

It really should have had an AttendanceRX Group and an AttendanceRX User.  From there, you can add employees to the group, or add another group, such as timedemployees and then add that to the AttendanceRX Group while changing the permissions for the timedemployees Group to restrict their access to certain functions of AttendanceRX Group, User, and the program itself.

I've decided to download the demo so as to get familiar with it and perhaps be of more help in "walking you through it."

Do you have the Network Version?

Be bach shortly, have to install and check it out.

Author Comment

ID: 13777693
Hi Gineric:

I followed some of your advice, some background information:

I bought and installed the network version following the instructions given from Acroprint, the manuf. of the software.

I installed the "server" version on the server, MPSERVER, and it's running as a service, i can see it in SERVICES. Currently, it is running locally with "interact with Desktop."

I then installed the "client" versions on all the clients, the program can only be run as someone from the administrator group (im currently using a bat file which uses the runas program.) I'd like to change this, since it's really buggy and I don't want to keep giving out my admin password.

On the clients, "arx" is not running as a service, it's not listed there. What should I do?

LVL 12

Accepted Solution

GinEric earned 2000 total points
ID: 13787568
Okay.  It is running as it should from the Server, locally with interact with desktop.  The client software should run and simply access the server version to report.  While the documentation for AttenanceRX shows that there are passwords for Administrator [there can be only one!] and supervisors [group], the users are setup using a pin number and thereafter everything should be automatic.

Turning on the client [employee or whatever] computer should get a prompt for that pin number.
Logging on the client computer may be differnet, but logging off should definitely "clock out" the employee per computer.  If this is not how you're working, but having multiple "clock ins" on a given computer, then you need to adjust for that so they can manually punch in from one station.

arx need not probably run as a service on the client machines.  Only AttendanceRX personnel can
answer that question.  However, as with any network, there are users that have the right to call a server program from their client program.  I would suspect that the client machines should be running arx as their own user account, in order for the whole thing to work.  So why is this not so?

On the client machines, who did you install the client software as?  It should have been as the computer user, and not you as Administrator.  Additionally, you can change the ownership and permission of the client program so that a "group" of users, containing the timed employees, can run the client.

By the username and password of who is running the client, your server knows who is at the other end, logging in, turning on their computer, logging off, punching in, etc..  It is a very credible means of identifying who is running the client as each employee has their own username and password.  

I have to get back to you on this tomorrow.

Author Comment

ID: 13811047
I've awarded points, But I still need help with this, I dont' know what to do from here. The program cannot be installed as the users since they don't have permissions to install it, therefore I runas administrator to install the programs.

LVL 12

Expert Comment

ID: 13813447
Okay, I actually contacted AttendanceRX because I kind of liked the look of the program.  If you want to ask another question and continue, it's okay.  Or you could email me

GinEric at Musics.com

Either way is okay.  

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question