locked
How can Power User launch a specific elevated process without knowledge of admin account RRS feed

  • Question

  • I have a problem at work that really needs your assistance.

    In our Active Directory domain, all of our users are "Power Users" on their computers.  We do so to restrict them from installing software, and we in IT handle software installations via Microsoft SCCM.

    There are a few cases where software, when running it, requires elevation.  Of course, to a member of the "Power Users" group this forces a login/elevation prompt for them to enter credentials of an appropriate account.  The only way I've been able to help them is to create a local administrator account, give them the password and they enter that information in the login/elevation credentials window.

    Of course, they figure out they can use that account to also install software we don't want on the computers.

    Is there a way around this?  Perhaps an admin account that can only elevate programs we explicitly set?  Found group policy for only allowing specific programs, but it only works when you are actually logged in as that account and not when using it for elevation.

    Any ideas are welcome!

    Sean

    Tuesday, July 8, 2014 11:11 AM

Answers

All replies

  • Hi,

    note that if you have one process 'running as admin', this in most cases opens up administrative access to the entire computer, including creating aditionnal accounts, resetting passwords, configuring services... you get the point.

    So the best way would be to make sure your users have the needed privileges to acces and execute all stuff related to their roles so they do not need elevation.

    This can be tricky for some applications, but in most cases it is pretty easy to find what aditionnal privileges to assign using tools like sysinternals procmon.


    MCP/MCSA/MCTS/MCITP

    • Proposed as answer by Yolanda Zhu Wednesday, July 9, 2014 1:43 AM
    Tuesday, July 8, 2014 11:49 AM
  • Hi! Thanks for the reply.

    I've used procmon a few times for different things.  In this situation would I launch procmon, then launch my program as an administrator and see what resources it accesses?

    Wednesday, July 9, 2014 11:08 AM
  • Hi,

    I noticed that you deploy these software via SCCM, you can choose the "Run mode" to "Run with administrative rights" for the end user, then the software installation will use a local system account instead, please see screenshot below:

    If you have issue about SCCM, you can post question in the following forum

    http://social.technet.microsoft.com/Forums/systemcenter/en-US/home?category=configurationmanager


    Yolanda Zhu
    TechNet Community Support

    • Marked as answer by EMMmmmmmm Monday, July 21, 2014 9:35 AM
    Tuesday, July 15, 2014 8:47 AM