How to permanently run a program as administrator on a standard user domain account

Can I get some feedback on any recommendations to run a program on windows 7 that requires admin rights without actually giving the user administrator access to the workstation?

Currently when a user is logged on and tries to access these particular programs they get a username and password prompt.
midITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris MillardCommented:
There's a good document at http://www.howtogeek.com/124087/how-to-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator/ 

This will walk you through the steps of creating a shortcut to a program that runs under saved administrative credentials, BUT beware that this is still a security risk.

You could also try turning off UAC and see if that gets around the issue, but then that may open up more programs than you specifically want.
McKnifeCommented:
Chris' idea is not suitable. The saved password is accessible by all applications which effectively makes the (potentially savvy) user an administrator.
There is no secure way to achieve what you want, but:
-There's 3rd party software http://www.beyondtrust.com/Products/PowerBrokerforWindows/
- there is a secure way but only for command line programs. Is yours a command line program or does it require user interaction?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KimputerCommented:
Have a local admin put these programs in the task scheduler and test it first (if no window opens, you can already stop).
If it works, log out, let the normal user log in, open task scheduler, find the correct task, run.
The only caveat is everything spawned from there, is run at local administrator level. A savvy user would use the Open File dialog (if the program has this option, and most do) to open another program, which is running on the same admin rights, so you could probably do whatever you wish with the system.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Adam LeinssServer SpecialistCommented:
Personally, I've used a BAT2EXE method.  I created a normal domain "service" account.  Then I add this domain account to the local Administrator's group.  Then I use psexec to run the program as administrator:

C:\RunAs\PsExec.exe -accepteula -u acmedomain\AdobeUpdateAdmin -p Somecleverpasswordhere "C:\Program Files\TraxStar\TraxClient\TraxLaunch.exe" 192.168.1.30 8090 "C:\Program Files\TraxStar\TraxClient\qatrax.exe" 8091

Use some bat2exe program to run this and viola.  There's a brief moment where the batch file is written to the user's temp file in clear text, then deleted.  A sophisticated user could figure this out, however, this is not the super user password for every PC, but the password of just a regular domain account and I don't put that on account every PC, just for the PCs that have "troublesome" applications.

If the program doesn't require domain resources, then a local account put in the local administrators group with a random password would work fine too.  That way if the password is compromised it is just that PC.
McKnifeCommented:
All methods that let the user interact with elevated apps are easily exploitable and not recommendable - that's why I asked about the type of thing you try to run.
Adam LeinssServer SpecialistCommented:
True...with enough sophistication the end user can do that...but it's better than the alternative of just granting them blanket admin rights.
McKnifeCommented:
Sure. But there's a secure way, the tool I linked extends windows' abilities. it can really do a lot.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.