Allow Standard User to Run Program as Local Admin Without Elevation Prompt

Run As Administrator Without Being Administrator

Allow a non-admin user to run a program as a local admin account but without elevation prompt

Below are instructions for setting up a workaround to get an application to run as another account that is a local administrator. The account that executes the process does not need to be a local administrator on the PC though.

The Windows Workaround (see all below notes)

Examples

  1. Create Username (domain or local): ProxyRunAsLocalAdmin

  2. Create Password (domain or local): <SomeComplexPassword>

Notes

  • This account is setup as local admin on PCs where something needs to be run with admin permissions without actually giving the end-user which will run it (execute) local admin permissions.

  • This is a last resort option for things which will not work for non-admins on the local machines where giving their account (the end-user and/or some group) explicit registry and file system level object access does not work.

Security

  • No one is to have this information other than domain administrators—i.e. don't share with the end-user.

Creating a shortcut with the RUNAS (this could be D:\Setup.exe)

Shortcut Properties Example

TARGET Field Example (below):

%systemroot%\system32\runas.exe /user:domain\ProxyRunAsLocalAdmin /savecred "C:\Program Files\BlueStacks\HD-StartLauncher.exe"

START IN Example: "C:\Program Files\BlueStacks"

enter image description here

IMPORTANT: The double-quotes around the Start In: field may be required whether or not there are any spaces in the path.

Additional Setup Notes

  • You can create a domain user account or a local PC user account for this purpose and give it local admin permissions to the local machine whenever such a solution is needed.
  • You'll have to run the shortcut with the "RUNAS, etc." when signed onto the PC as the user that will need to execute that process without being a local admin themselves. When you do this, you will be required to type in the credential—caching it this ONE time but it'll not be needed on each subsequent execution of the process using the RUNAS and /SAVECRED again from that SAME user account profile moving forward.
  • This password to this account is NOT shared with anyone, only the domain\systems admins have this information and plug it in wherever needed per user per machine—it is a per Windows user account profile type deal as well. So, if you create a new profile for a user and this solution is needed, then the shortcut will need to be run again so the credential is cached for their profile as well (by an admin).

Security Notes

  1. You cannot restrict local login access for the account through group policy or the account will not be able to RUNAS interactively—I already tried that for security but I could not get it to work properly.
  2. Since this is a cached credential with local admin permissions on it, technically an end-user where this is saved could apply this same RUNAS technique to another EXE or via command line if that's allowable. This means you as the admin need to weigh in the upsides and downsides with this solution including the risks. Perhaps allowing this for your trustworthy people or items that are ongoing or needed over and over again without actually granting the end-user local admin is fine.

Controls

You do have some controls in place for this solution though such as . . .

  • Pick which machines you want to allow this to run runas from
  • Pick which user profiles on each machine you want this to runas from
  • You have to go to the user profile on this machine and type in the credentail the initial time regardless
  • The exposure is to local machine at the PC level, not the domain level since the local or AD account is a member of the local machine IP address
  • Don't give this account any network resource access to anything (only local PC admin per each individual PC as-needed)
  • If you ever want to do a mass disable of this feature (assuming using a domain account) then simply disable the account or change the password
  • Ensure that others are aware of some of these ramifications, etc. and get them to approve so you're not the person making the decision to use this or not

Tags:

Windows

Powershell

Recent Posts