Running Programs with Elevated Privileges

[Jeff Smyrski]

I am looking for a way to allow several programs run with
elevated privileges. For example, a certain software
company has written a program that calls several other
custom programs. In all of this the main program itself
installs and uninstalls DCOM objects, and also configures
hardware programatically such as a COM port for a Serial
Printer. This is causing an issue, and the suggested
solution is to open the security up for these users to
run the program by making them Power Users locally, but
since they log into a domain, it would mean giving them
more privileges on the domain than they should have. The
program runs accross the domain in a shared location on a
server build for the core programs to run from.

I am looking for a way to simply create either a GPO or
script to alter the permissions for these programs to run
with elevated privileges, kind of like a RUN AS feature,
but with out manual intervention. Any suggestions would
be very useful. Thanks.

Jeff Smyrski -
TechNet Plus Subscriber.

 

[Lanwench [MVP - Exchange]]

I am looking for a way to allow several programs run with
elevated privileges. For example, a certain software
company has written a program that calls several other
custom programs. In all of this the main program itself
installs and uninstalls DCOM objects, and also configures
hardware programatically such as a COM port for a Serial
Printer. This is causing an issue, and the suggested
solution is to open the security up for these users to
run the program by making them Power Users locally, but
since they log into a domain, it would mean giving them
more privileges on the domain than they should have.

Not so - it will only give them more privileges on the local computer, not
the domain. That said, it may still give them more privileges on the local
computer than you'd like.

The
program runs accross the domain in a shared location on a
server build for the core programs to run from.

I am looking for a way to simply create either a GPO or
script to alter the permissions for these programs to run
with elevated privileges, kind of like a RUN AS feature,
but with out manual intervention. Any suggestions would
be very useful. Thanks.

Wish I could offer more advice - runas is the only thing I can think of.

 

[Jeff Smyrski]

I think the domain policy is overriding anything local since the user in
question is actually created and placed in the local administrator's group
on that machine. But they still log into the domain not locally. Which
still does not allow the program to make the registry changes it is trying
to.

Thanks
Jeff

"Lanwench [MVP - Exchange]"

 

[Lanwench [MVP - Exchange]]

What do you have in your policies?

I think the domain policy is overriding anything local since the user
in question is actually created and placed in the local
administrator's group on that machine. But they still log into the
domain not locally. Which still does not allow the program to make
the registry changes it is trying to.

Thanks
Jeff

"Lanwench [MVP - Exchange]"

Not so - it will only give them more privileges on the local
computer, not the domain. That said, it may still give them more
privileges on the local computer than you'd like.


Wish I could offer more advice - runas is the only thing I can think
of.

 

[Steven L Umbach]

You could either try adding the domain users account to the local power users group
on the domain computer where they need extra permissions or look into applying the
compatws.inf template witch will give a user the same ntfs and registry permissions
as a power user without the extra rights such as creating shares. Making a user a
local power user or administrator does not give them any more power in the domain,
but it makes it a lot easier for them to mess up their computers such as installing
unauthorized software. Ideally you would want to modify ntfs/registry permissions so
that a regular user could run the applications and free third party tools such as
Regmon and Filemom from SysInternals [which needs to be invoked with runas/admin
credentials while logged on as a regular user just before trying to run the
application] could help you possibly track down those permissions needed, but from
what you describe it may not work in your case because of all that the application
does. --- Steve