midIT
asked on
How to permanently run a program as administrator on a standard user domain account
Can I get some feedback on any recommendations to run a program on windows 7 that requires admin rights without actually giving the user administrator access to the workstation?
Currently when a user is logged on and tries to access these particular programs they get a username and password prompt.
Currently when a user is logged on and tries to access these particular programs they get a username and password prompt.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have a local admin put these programs in the task scheduler and test it first (if no window opens, you can already stop).
If it works, log out, let the normal user log in, open task scheduler, find the correct task, run.
The only caveat is everything spawned from there, is run at local administrator level. A savvy user would use the Open File dialog (if the program has this option, and most do) to open another program, which is running on the same admin rights, so you could probably do whatever you wish with the system.
If it works, log out, let the normal user log in, open task scheduler, find the correct task, run.
The only caveat is everything spawned from there, is run at local administrator level. A savvy user would use the Open File dialog (if the program has this option, and most do) to open another program, which is running on the same admin rights, so you could probably do whatever you wish with the system.
Personally, I've used a BAT2EXE method. I created a normal domain "service" account. Then I add this domain account to the local Administrator's group. Then I use psexec to run the program as administrator:
C:\RunAs\PsExec.exe -accepteula -u acmedomain\AdobeUpdateAdmi
Use some bat2exe program to run this and viola. There's a brief moment where the batch file is written to the user's temp file in clear text, then deleted. A sophisticated user could figure this out, however, this is not the super user password for every PC, but the password of just a regular domain account and I don't put that on account every PC, just for the PCs that have "troublesome" applications.
If the program doesn't require domain resources, then a local account put in the local administrators group with a random password would work fine too. That way if the password is compromised it is just that PC.
C:\RunAs\PsExec.exe -accepteula -u acmedomain\AdobeUpdateAdmi
Use some bat2exe program to run this and viola. There's a brief moment where the batch file is written to the user's temp file in clear text, then deleted. A sophisticated user could figure this out, however, this is not the super user password for every PC, but the password of just a regular domain account and I don't put that on account every PC, just for the PCs that have "troublesome" applications.
If the program doesn't require domain resources, then a local account put in the local administrators group with a random password would work fine too. That way if the password is compromised it is just that PC.
All methods that let the user interact with elevated apps are easily exploitable and not recommendable - that's why I asked about the type of thing you try to run.
True...with enough sophistication the end user can do that...but it's better than the alternative of just granting them blanket admin rights.
Sure. But there's a secure way, the tool I linked extends windows' abilities. it can really do a lot.
This will walk you through the steps of creating a shortcut to a program that runs under saved administrative credentials, BUT beware that this is still a security risk.
You could also try turning off UAC and see if that gets around the issue, but then that may open up more programs than you specifically want.