Allow non-admins to update files in the System32 folder (or make a limited admin account)

I have a terminal server running Windows 2008.  This server is running an application which *has* to update itself from the internet at least once per day otherwise it doesn't work.  Therefore I would like any user to be able to run the update procedure.

The update runs as administrator but not as a limited user.  The update always fails on a certain file in the Windows System32 folder, despite me granting "Domain Users" full controll to the file.  After using "Process Monitor" I have found that Windows appears to be redirecting the request from Windows\system32\filename to User's profile\windows\system32\filename - the file doesn't exist in this location and the update fails.

Is there any way I can stop Windows 2008 from redirecting this file?  This way I can give users full controll to the files relating to the app in system32 and the update will then hopefully succeed.  

Alternatively, is there a way to make a "limited" admin account.  By this I mean a account with admin rights (therefore permissions to update system32), however this account cannot run any applications other than this software (since I don't want users running apps on the terminal server they are not supposed to have access to).  This way I can educate users to right click the update exe and "run as" this limited admin account.

Any help gratefully received.
Who is Participating?
ou_doberConnect With a Mentor Commented:
Another option could be this:

The shortcut can than be added to the default user startup folder, add in the TS login script, the default user desktop, or in the registry.

@echo off
psexec -accepteula -u administrator -p password c:\windows\notepad.exe

Open in new window

Try creating another User Group and apply permissions to that group.
wascAuthor Commented:
Thanks for the suggestion.  I already tried giving Domain Users full control to the files in System32 that belong to the app without success.  I'm not sure what other permissions I could apply with another user group.

I believe it's something to do with redirection on Windows 2008 since the app is trying to write to U:\Windows\System32\file instead of C:\Windows\system32\file where U is their home profile location.  Therefore it looks like windows is silently redirecting the write request to the windows system32 folder.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Have you considered making a script to run the update and than add it to the server task scheduler to run daily or multiple times a day?  By using task scheduler, you can put in the administrator credentials for the server without elevating the domain user privileges to get the update completed.

Just a random guess here but i'm going to guess it has something to do with the way the updates are being started. If you go to a command prompt Start-Run-> type CMD and press ok...I will assume the default path shows up as U:\  

You can try changing the default command path to C:\ as shown at

Then we can see if it tries to update the correct location.
wascAuthor Commented:
Excellent - this one works well.  I've given all users access to the exe file created by BAT to EXE Converter 1.5 and have deleted the batch file itself (so they can't open it to see the password).

Now everyone can run the update program (as administrator) without being given admin rights or knowing an admin password.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.