Run Application as Administrator for Non-Admin User

Sometimes it is necessary to run Applications as an Administrator otherwise the functionality on the Program just does not work. This was the case with one of our Financial systems which once a week I had to be next to the users to keep entering my Admin Credentials. I have tried everything you could search Online to have the application run without my intervention.

  1. Full Permission on the Folders being accessed
  2. Varios Local User Permissions
  3. Running the task from a Task Scheduler
  4. Ect…

There is a few stuff I rather opted not to do as the potential Security risk was too high for me to accept.
Finally, I decided on the following solution as I could control some of the Security Concerns.

Overview

The solution would be to create a Local User with Admin Rights on only the user’s PC that requires an application to run as Administrator. Because the site has a Domain Controller running Some Group Policies, I had to update the specific GPO to not remove the new Local User from the Administrator group.

The new Local User would then have a unique password to that PC only. If credentials do get used for anything other than the intended purpose it can only be used on that one PC and not on another PC with a similar setup.

After this has been done, the Shortcut will then be Modified to run the application with the newly created Users Details.

Implementation

Local User

Create a New User by opening the Computer Management as Administrator.

Computer Management

Once open browse to Local Users and Groups, then Right Click (Alternate Click) Users and choose New User…

Local Users and groups

In the new Dialog, you can create the user that will have Local Admin Right. I suggest using a Password Generator to make it as complicated as possible. Next, Untick “User must Change Password at Next Logon” and Tick “Password Never Expires

If your password is sufficiently strong and you are not using it anywhere else this should not be easily compromised.

New User

Go back into the newly created users Properties and then to Member Of. Click Add.. then in the Search Dialog search for Administrators and click Check Names and OK. This should assign the User with the required Rights.

User Permissions

Ammend Shortcut

With that done you can now go to the Shortcut of the Application you need to run as Administrator. Right-click and choose properties. There will be one of Two commands you can paste in front of the Target:

The first is Simply:

C:\Windows\System32\runas.exe /user:ComputerName\LocalAppz /savecred “Application”

Example:
C:\Windows\System32\runas.exe /user:fnwa001vs\LocalAppz /savecred “C:\Program Files\Everything-Search\Everything.exe”

Shortcut Example

This will run the software directly and works with most applications. The Problem I found is some application just does not run. For these applications, you can try the following command in front of the application Target Location which runs Command Prompt, and then from Command Prompt it runs the application:

C:\Windows\System32\runas.exe /user:fnwa001vs\LocalAppz /savecred “cmd /C “”“Application”

Example:
C:\Windows\System32\runas.exe /user:fnwa001vs\LocalAppz /savecred “cmd /C “”“C:\Program Files\Everything-Search\Everything.exe”

Shortcut Example

Note there are Three Double Quotations next to each other so that the commands can be passed Successfully and two at the End

Regardless of which one you end up using on the initial run of the application, this will ask for the Local User that you created password. Once you enter it, the application will run as the new Local Administrator. You can then close it again and run it with no request for a password to appear.

Initial Run as Admin

The Security Issue

The issue is the Credentials are saved in the Credential Manager and can be used by anybody that understands how the setup was created.

Credential Manager

An Example of this would be:
runas /user:fnwa001vs\LocalAppz /savecred “cmd /C compmgmt.msc”

This will give full access to Computer Management from where they can systematically start doing whatever they want to do on that Workstation.

The reason I chose this for the specific user is they are not users that tamper with anything on their Computer other than what they know how to do. They advise IT for the Slightest issue and there are other systems in place to try and prevent any unauthorized access.

It is highly suggested only use this method when you know the chance of unauthorized access will not happen.

********************************************************

If you liked what you read Please Share.
I’d love it if you followed me on YouTube and Facebook.

Also, feel free to subscribe to my posts by email.
Donations for the site can be made here.
Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *