[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 271
  • Last Modified:

How to run without administrator rights, and with convenience?

I am a one man IT shop here,  we are a non-profit with 65 XP SP3 PCs on a Windows 2003 domain.  We (I) will have to implement a policy of not running as Administrator - of course  it seems everything I touch needs admin privaleges.

How do other people do this practicaly without logging in and out a dozen times a day?  
Part two - does anyone use a software solution? There must be something less painful than runas!  (And no, Linux doesn't count, sorry...)

Unfortunately using better authentication (tokens) would not mitigate the risk of reading email as administrator...


3 Solutions
Hello DeepThnkr,

You can do a lot of admin task with Group Policy Object (GPO) : http://technet.microsoft.com/en-us/library/cc779838(WS.10).aspx
Other task with tools from sysinternal : http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
Scripting : VBScript, powershell with WMI or not you can do a lot of think from your own server.

A good thing is to use a Terminal Server. So you just need to install software, patches and Co on one (or two) server for everyone. Windows 2008 allow you now to deploy software directly with terminal service. User can run application as there are installed on their own computer.

There are a couple of separate issues -- running software and performing administrative tasks.

Well-written software should be able to run under a regular user account, but of course lots of programs do not fall into that category.  If you have one which doesn't work correctly for ordinary users, you can use the following procedure:
  1. Run Process Monitor and note which files and registry keys the program is unable to access.  
  2. Grant users permission to access those files and see if it corrects the problem.  
  3. If so, push out the permission changes to workstations using the group policy nodes Registry and File System under Computer Configuration\Windows Settings\Security Settings.  
This is something of a pain to set up at first but often works well with no intervention after that.

Here's a way to simplify a lot of administrative tasks:
  1. Create a custom console.  
  2. Add all the snap-ins you commonly use, such as Computer Management, AD Users and Computers, and Group Policy Management.
  3. Create a batch script which runs the console with the runas command, e.g. runas /user:YourDomain\YourAdminAccount "mmc c:\AdminConsole.msc"
  4. Create a shortcut to the batch script and place it on your desktop or quick launch bar.
When you click it you will be prompted for the admin account's password once, but then you can use the console to perform most tasks which you can't do as an ordinary user.

Starting a command prompt with Run As and then using the PsTools utilities which leakim971 linked to also works well.
As an admin who often runs as a limited user I definitely agree with Shift-3's MMC approach. I've also learned to access a lot of the other tools I need through the command line (eg "control.exe appwiz.cpl" rather than Start > Control Panel > Add/Remove Programs).

When performing several tasks from a user's desktop I tend to launch a priveleged command prompt using runas ("runas /u:adminaccount@domainname.local cmd.exe") then run everything I need from there.

It's worth the effort, keeping your users out of the local administrators group will save you so much time in the long run!

Good luck,

DeepThnkrAuthor Commented:
Thanks for the thoughtful comments.
My question is primarily about me running as an Admin.

This comes up as part of our self-certification for PCI DSS V1.2.
We can't share any user accounts at all since this is a requirement of PCI DSS V1.2.
We will have to create individual admin accounts for our admins.  And then I will have to run as a regular user day to day.

The console idea is a good one.  I already use ManagePC - which is pretty much MMC on steroids (with a little bit of WMI).  Its free and definitely worth looking into.

Users don't have administrator privalege here, but they are in Power Users - which fixes most apps.  I can apply the Process Monitor idea to reign in the balky apps, and remove user's membership in Power Users.

Thanks for your help all,


Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now