Help elevating limited user status for admin purposes

T

Taylor

I'm trying to figure out a way to get past the problem we have on our
network of giving all users local admin rights.

The problem is that we get called to users desks to fix issues and its
often a huge pain to make a simple change to a printer setting or a
driver when the user does not have admin rights. So in the past we've
just given users admin rights, but this presents an even bigger
problem of "I'm gonna install smileysearchbarp0rn for fun."

We want to restrict users to a limited account such as user or power
user, but we would like to come to their desk, push a magic button,
temporarily elevate to admin rights over top their profile do our
changes, and demote them back to a limited account.

Is this possible without having them close all their programs, log
out, log in as administrator, fix a printer issue, or an Internet
Explorer issue and then log back out and back in to test?

Thanks,
--Taylor
 
C

Colin Nash [MVP]

Taylor said:
I'm trying to figure out a way to get past the problem we have on our
network of giving all users local admin rights.

The problem is that we get called to users desks to fix issues and its
often a huge pain to make a simple change to a printer setting or a
driver when the user does not have admin rights. So in the past we've
just given users admin rights, but this presents an even bigger
problem of "I'm gonna install smileysearchbarp0rn for fun."

We want to restrict users to a limited account such as user or power
user, but we would like to come to their desk, push a magic button,
temporarily elevate to admin rights over top their profile do our
changes, and demote them back to a limited account.

Is this possible without having them close all their programs, log
out, log in as administrator, fix a printer issue, or an Internet
Explorer issue and then log back out and back in to test?

Thanks,
--Taylor
Click to expand...

If you promote the user to admin (you could, for example, do this remotely
by connecting to the machine using the Computer Management MMC and adding
them to the local admin group), they still need to log out and back in for
it to take effect.

You can try the "Run As" command, to run whatever utility you want to...
http://support.microsoft.com/default.aspx?scid=kb;en-us;305780&sd=tech -- it
can get a bit awkward trying to use Run As to run the Control Panel (aka
control.exe), but it should be possible...
 
G

Guest

Taylor:

What if you had a local policy setting that restricts the users' abilities
to install programs, modify settings etc? Then, when they have a problem:
You walk to their desk (or efficiently use a remote control solution). Deny
them "read" access to this local policy. Refresh the local policy settings,
which would unlock the user. Then just change it back after making
corrections. This can be done using a "magic" button in the form of a batch
file. This can also be accomplished remotely.

Good luck.

Joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Admin Rights 2
admin rights 3
Admin vs limited user account 4
Admin - Limited user accounts. 3
Elevate user rights versus RunAs 2
adding to user group after first time login 1
How do I identify Limited-User Access (LUA) bugs in an app? 1
User rights for time zone changing 1

Top