Windows 10 Allowing a Regular User to Launch One Application as Admin
-
We've got a Windows 10 box that traditionally the customer has given admin rights to the end user because there is one simple application that runs on it that needs them. Instead of having them have system-wide administration rights (especially given that they were hit with ransomware this week) we want to lock them to only have admin rights for this single application.
Windows 10 (and all version from Windows Vista and later) has the built in command line tool called runas. This is purpose built for this reason. Kind of like sudo for UNIX, but not quite the same functionality. This would be great, but requires the user to know and enter the password of the elevated account. That's great for maximum security, but might not be transparent enough for a lot of users or situations.
A free tool to get around that limitation is RunAsTool. This is a GUI tool that does something similar but allows the password to be stored.
-
What about using the /savecred switch?
runas /savecred /user:USER-NAME "C:\full\path\of\Program.exe" -
This is what I use
-
@dbeato said in Windows 10 Allowing a Regular User to Launch One Application as Admin:
This is what I use
We've been doing it this way for years.
-
Didn't read the links. But if it involves runas and saved creds, we do this.
We make a
batfile and give it the icon of the application.
That launches the application with a/runasExample, we have a shortcut file with this as the target.
C:\Windows\System32\runas.exe /user:domain\localadmin /savecreds "C:\AdminShortcuts\Bobcat\Bobcat.bat"
That
batfile launches.@echo off cd \ cd Program Files (x86) cd G2ScanBobcat start bobcat~1.exe
We have more than one application requiring this.
-
The first time it is used, we have to manually type the
domain\localadminpassword.
After that it is stored in credential manager.
