none
Two separate accounts, standard and administrator permissions for users. RRS feed

  • Question

  • Hi,

    What is the correct process to split permission levels for a singular user so that they have an account with user permissions for logging into the workstation and doing their daily tasks and an account that has administrative permissions that they can only use when an application needs to be elevated and run with administrative privileges in UAC. This account will not be able to log into the workstation.

    This is for a company using ADUC all devices are Windows 10.

    I am trying to steer away from users that have a singular account with administrative permissions due to elevation security risks poised by malware.

    I can understand most of the process although we have a strict password policy whereas the password needs to be changed often.

    We currently implement a email reminder whereby telling the users that there password needs to be changed in which i can probably add their associated email address to their account with administrative permissions although how would they be able to change the password of this account since they cannot log into it.

    Would appreciated feedback from others who have gone down this path.

    Thanks

    Monday, February 12, 2018 7:22 PM

All replies

  • Hi,

    Is that some applications need to use administrator privilege to run but you want standard user accounts also could run it?

    If yes, I recommend you could create a shortcut and set it always runs as administrator.

    It is possible for a standard user to run an application that need administrator right.

    Here are steps for your reference.

    1. Make sure the administrator account is enabled.

    2. Right click the desktop to create a shortcut.

    3. Type the command:

        runas /user:ComputerName\Administrator /savecred “C:\Path\To\Program.exe“   

        Example:

    runas.exe /user:Laptop\Administrator /savecred "C:\Program Files\Google\Chrome\Application\chrome.exe"

    4. Customize the shortcut.

    5. The first time you double-click your shortcut, you’ll be prompted to enter the Administrator account’s password. This password will be saved – the next time you double-click the shortcut, the application will launch as Administrator without asking you for a password.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.





    • Edited by Vera Hu Tuesday, February 13, 2018 10:11 AM
    • Proposed as answer by Vera Hu Wednesday, February 14, 2018 9:39 AM
    Tuesday, February 13, 2018 9:05 AM
  • Hi Vera,

    I can understand the elevation requirement which is fine although we have a password policy whereas the accounts password needs to be changed often.

    So if a user logs in with an account that has user permissions they can change their account password with either pressing alt control delete or on next logon it will prompt them although what happens for their assigned administrator account?

    Since they do not log on with this account nor are they allowed to they cannot change this password. So if they need to elevate an application or anything that needs to they wont be able to since the accounts password is expired.

    To put it in a nutshell when using an account with administrative privileges used solely for elevating anything on windows how would the end user change the password associated with this account when you are forced to change it?

    Thursday, February 22, 2018 9:33 PM