Sometimes it is necessary to run Applications as an Administrator otherwise the functionality on the Program just does not work. This was the case with one of our Financial systems which once a week I had to be next to the users to keep entering my Admin Credentials. I have tried everything you could search Online to have the application run without my intervention.
- Full Permission on the Folders being accessed
- Varios Local User Permissions
- Running the task from a Task Scheduler
- Ect…
There is a few stuff I rather opted not to do as the potential Security risk was too high for me to accept.
Finally, I decided on the following solution as I could control some of the Security Concerns.
Overview
The solution would be to create a Local User with Admin Rights on only the user’s PC that requires an application to run as Administrator. Because the site has a Domain Controller running Some Group Policies, I had to update the specific GPO to not remove the new Local User from the Administrator group.
The new Local User would then have a unique password to that PC only. If credentials do get used for anything other than the intended purpose it can only be used on that one PC and not on another PC with a similar setup.
After this has been done, the Shortcut will then be Modified to run the application with the newly created Users Details.
Implementation
Local User
Create a New User by opening the Computer Management as Administrator.
Once open browse to Local Users and Groups, then Right Click (Alternate Click) Users and choose New User…
In the new Dialog, you can create the user that will have Local Admin Right. I suggest using a Password Generator to make it as complicated as possible. Next, Untick “User must Change Password at Next Logon” and Tick “Password Never Expires“
If your password is sufficiently strong and you are not using it anywhere else this should not be easily compromised.
Go back into the newly created users Properties and then to Member Of. Click Add.. then in the Search Dialog search for Administrators and click Check Names and OK. This should assign the User with the required Rights.
Ammend Shortcut
With that done you can now go to the Shortcut of the Application you need to run as Administrator. Right-click and choose properties. There will be one of Two commands you can paste in front of the Target:
The first is Simply:
C:\Windows\System32\runas.exe /user:ComputerName\LocalAppz /savecred “Application”
Example:
C:\Windows\System32\runas.exe /user:fnwa001vs\LocalAppz /savecred “C:\Program Files\Everything-Search\Everything.exe”
This will run the software directly and works with most applications. The Problem I found is some application just does not run. For these applications, you can try the following command in front of the application Target Location which runs Command Prompt, and then from Command Prompt it runs the application:
C:\Windows\System32\runas.exe /user:fnwa001vs\LocalAppz /savecred “cmd /C “”“Application”“
Example:
C:\Windows\System32\runas.exe /user:fnwa001vs\LocalAppz /savecred “cmd /C “”“C:\Program Files\Everything-Search\Everything.exe”“
Note there are Three Double Quotations next to each other so that the commands can be passed Successfully and two at the End
Regardless of which one you end up using on the initial run of the application, this will ask for the Local User that you created password. Once you enter it, the application will run as the new Local Administrator. You can then close it again and run it with no request for a password to appear.
The Security Issue
The issue is the Credentials are saved in the Credential Manager and can be used by anybody that understands how the setup was created.
An Example of this would be:
runas /user:fnwa001vs\LocalAppz /savecred “cmd /C compmgmt.msc”
This will give full access to Computer Management from where they can systematically start doing whatever they want to do on that Workstation.
The reason I chose this for the specific user is they are not users that tamper with anything on their Computer other than what they know how to do. They advise IT for the Slightest issue and there are other systems in place to try and prevent any unauthorized access.
It is highly suggested only use this method when you know the chance of unauthorized access will not happen.