permanently run a program with alternate credentials

[Guest]

I run a school lab, and the students use normal (restricted) accounts.

I have a need to run two programs, QuickBooks and PeachTree accounting, which will not run in a restricted user context. What tech support is available from the vendors is "run it as a Power User", which is not going to happen. I'd like a way to either permanently run these programs in an alternate user context while hiding the password, or a way to fix the application software so it runs with a normal account. In either case, if it can be done by policy, that would be great (6 labs, 30 computers each, 3 profiles per computer)

The secondary logon service ("runas") requires the users to know the password of the alternate account. I want to permanently delegate administrative access for these two specific programs and nothing else, and leave the accounts as normal, restricted users.

 

[Doug Knox MS-MVP]

You can use the /savecred switch with RunAs, but that becomes permanent, and
doesn't only apply to that particular application. You need to find out
from the companies responsible, what folders and registry entries that these
programs need "write" access to, and adjust the permissions.

--
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

I run a school lab, and the students use normal (restricted) accounts.

I have a need to run two programs, QuickBooks and PeachTree accounting,

which will not run in a restricted user context. What tech support is
available from the vendors is "run it as a Power User", which is not going
to happen. I'd like a way to either permanently run these programs in an
alternate user context while hiding the password, or a way to fix the
application software so it runs with a normal account. In either case, if
it can be done by policy, that would be great (6 labs, 30 computers each, 3
profiles per computer)

The secondary logon service ("runas") requires the users to know the

password of the alternate account. I want to permanently delegate
administrative access for these two specific programs and nothing else, and
leave the accounts as normal, restricted users.

 

[John Koswalski]

A trick I used was monitoring the apps with regmon en filemonfrom
www.systernals.com en than adjusting the permissions accordingly just for
those keys, folders or files.

It works good only one app just wrote/deleted files constanly to the
system32 folders so that was a bit of a bummer.