question

BillArtemik-5485 avatar image
0 Votes"
BillArtemik-5485 asked Joey-7437 commented

Run a specific as an admin from a standard user account - How?

We have a client with 147 users that use a specific app. This app works fine under restricted user use EXCEPT that Once-A-Month update the vendor pushes out. This disables use of the app until the update is run. The update requires admin rights so we have to remote in to 147 machines and update this app.

The update is not a MSI file or anything we can "push out" via AD installers (GPO).

Is there a tool that will allow us to grant this ONE APPLICATION the rights to run as an admin? (I recall using Beyond Trust some time ago but that's an expensive solution for 1 application, today, and I don't even know if they're around, anymore).

Honestly I'm surprised this is not a feature already part of the Windows framework! We manage over 700 machines and this type of capability is routinely needed.

If it's built into Windows now, I would love to know what that is. Does anyone have a work-around for this type of issue? (note: the RunAs /savecred does not work cuz you cannot explicitely assign admin privileges to the RunAs command).

windows-10-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoyQiao-MSFT avatar image
0 Votes"
JoyQiao-MSFT answered JoyQiao-MSFT commented

Hi Bill,

Thank you for coming Microsoft Q&A.

I noticed you said RunAs /savecred not work as you, but I am not sure if you could create that application shortcut and give add administrator to that shortcut to let users run update by themselves. If haven't try, I would recommend to try and check.

Here is a link about detailed steps.
How To Create a Shortcut That Lets a Standard User Run An Application as Administrator

As SCCM have a specific function to deliver software update and manage software update in software center, so we could consider to use SCCM to manage clients. It would be more convenient, but need to cost money on SCCM.

Here is the management function introduction.

Software Center user guide

Or we could use PsExec to execute update action on remote systems. If you have any issue about this command line, I would recommend to contact with Script forum.

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Bill,

Just want to know if my reply was useful for you.

If yes, would you mark it as answer?

If you need further assistance, please reply to us directly.

Bests,

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
Joey-7437 avatar image
0 Votes"
Joey-7437 answered MotoX80 commented

Same problem as me.
Grant only one specific application administrator rights to run it as administrator from standard user account.
Runas savecred is not a good idea, because savecred store the administrator password, that user can take it for all applications

blogenRunasSavecred.html

Is there any other solution?


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Work with the application developer to fix the program so that it does not require elevation.

You might want to post your own question and describe the application and what it does. If it's trying to write to some directory, then a simple solution would be to grant the Users group write access. Do you know what call it's making that requires Administrator access?

1 Vote 1 ·
Joey-7437 avatar image
0 Votes"
Joey-7437 answered Joey-7437 commented

Thank you, but programs need elevated rights because for system jobs or updates.
At the moment users on those notebooks have got local administrator rights, because they work on different locations like caves, ships, deserts with slow and infrequent network connections.
We want to limit the administrator rights for a few different applications that they can to that job if it is necessary and possible with less risk.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for this.
Runasrob is the solution.

0 Votes 0 ·