How to run without administrator rights, and with convenience?

Posted on 2009-12-28
Last Modified: 2013-12-04
I am a one man IT shop here,  we are a non-profit with 65 XP SP3 PCs on a Windows 2003 domain.  We (I) will have to implement a policy of not running as Administrator - of course  it seems everything I touch needs admin privaleges.

How do other people do this practicaly without logging in and out a dozen times a day?  
Part two - does anyone use a software solution? There must be something less painful than runas!  (And no, Linux doesn't count, sorry...)

Unfortunately using better authentication (tokens) would not mitigate the risk of reading email as administrator...


Question by:DeepThnkr
    LVL 81

    Assisted Solution

    Hello DeepThnkr,

    You can do a lot of admin task with Group Policy Object (GPO) :
    Other task with tools from sysinternal :
    Scripting : VBScript, powershell with WMI or not you can do a lot of think from your own server.

    A good thing is to use a Terminal Server. So you just need to install software, patches and Co on one (or two) server for everyone. Windows 2008 allow you now to deploy software directly with terminal service. User can run application as there are installed on their own computer.

    LVL 38

    Accepted Solution

    There are a couple of separate issues -- running software and performing administrative tasks.

    Well-written software should be able to run under a regular user account, but of course lots of programs do not fall into that category.  If you have one which doesn't work correctly for ordinary users, you can use the following procedure:
    1. Run Process Monitor and note which files and registry keys the program is unable to access.  
    2. Grant users permission to access those files and see if it corrects the problem.  
    3. If so, push out the permission changes to workstations using the group policy nodes Registry and File System under Computer Configuration\Windows Settings\Security Settings.  
    This is something of a pain to set up at first but often works well with no intervention after that.

    Here's a way to simplify a lot of administrative tasks:
    1. Create a custom console.  
    2. Add all the snap-ins you commonly use, such as Computer Management, AD Users and Computers, and Group Policy Management.
    3. Create a batch script which runs the console with the runas command, e.g. runas /user:YourDomain\YourAdminAccount "mmc c:\AdminConsole.msc"
    4. Create a shortcut to the batch script and place it on your desktop or quick launch bar.
    When you click it you will be prompted for the admin account's password once, but then you can use the console to perform most tasks which you can't do as an ordinary user.

    Starting a command prompt with Run As and then using the PsTools utilities which leakim971 linked to also works well.
    LVL 8

    Assisted Solution

    As an admin who often runs as a limited user I definitely agree with Shift-3's MMC approach. I've also learned to access a lot of the other tools I need through the command line (eg "control.exe appwiz.cpl" rather than Start > Control Panel > Add/Remove Programs).

    When performing several tasks from a user's desktop I tend to launch a priveleged command prompt using runas ("runas /u:adminaccount@domainname.local cmd.exe") then run everything I need from there.

    It's worth the effort, keeping your users out of the local administrators group will save you so much time in the long run!

    Good luck,

    LVL 2

    Author Comment

    Thanks for the thoughtful comments.
    My question is primarily about me running as an Admin.

    This comes up as part of our self-certification for PCI DSS V1.2.
    We can't share any user accounts at all since this is a requirement of PCI DSS V1.2.
    We will have to create individual admin accounts for our admins.  And then I will have to run as a regular user day to day.

    The console idea is a good one.  I already use ManagePC - which is pretty much MMC on steroids (with a little bit of WMI).  Its free and definitely worth looking into.

    Users don't have administrator privalege here, but they are in Power Users - which fixes most apps.  I can apply the Process Monitor idea to reign in the balky apps, and remove user's membership in Power Users.

    Thanks for your help all,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now