4

How can I enable non-admin users to run a certain application (in my case, a script) with admin permissions on Windows XP?

This would be similar to the setuid bit on *nix.

Lev
  • 195
  • 2
  • 6
  • You can use built-in runas or sudo for windows http://sourceforge.net/projects/sudowin/ – Mircea Vutcovici Feb 16 '10 at 21:57
  • 1
    Runas or sudo aren't similar to the setuid bit because they require you to type a password. Setuid just runs the application as a different user without requiring a password for that user to be typed. – MattB Feb 16 '10 at 22:40

3 Answers3

4

Here is a previous very similar topic:
Set uid for windows

Short answer no, with a but. Long answer:

The proper Microsoft-approved way to do this is to create a "shim" for your application that redirects anything that needs admin rights to a similar user-mode area. For example, if your app tries to save a registry setting to HKLM, the shim will put it in HKCU instead.

Also check out the Aaron Margosis' blog for lots of detail on this type of thing.

Community
  • 1
MattB
  • 11,124
  • 1
  • 29
  • 36
  • What I actually need is to restart a service. Namely, the printer spooler service. – Lev Feb 16 '10 at 22:06
  • 4
    Ahh, well that is a different question - you should be able to change the ACLs on the service to allow all users to start/stop the service. If you get subinacl I think the command line would be: subinacl /service spooler /grant=Everyone=F (you can obviously change this to specific users or specific access permissions) http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en – MattB Feb 16 '10 at 22:17
  • 4
    I would not grant Everyone Full access for 2 reasons. Firstly Everyone creates a security hole in that un-authenticated and non-domain users will now have access. Secondly, Full access allows a user to change the ACLs on the service (in addition to having access to stop and start the service) – Sam Feb 16 '10 at 23:38
  • 1
    Excellent point - a better option for the actual ACL might be "TOP" instead of "F" - this will allow only start/stop/pause/continue control. To not grant it to everyone, create a group (either in AD or on the local system) and do /grant=GROUPNAME=TOP – MattB Feb 16 '10 at 23:59
2

There is a special program for these purposes - Admilink.

It creates an special encrypted link to targeted file (I test in only with .exe files) - you need to do this action only once. When you click on link - program (Admirun.exe) automatically starts the program in link with the special rights (Rigths depends of selected User during link creation process - you can use admin account or domain account name etc).

Restrictions: During link creating process (only once) you need to have admin account.
Admirun.exe must be presented in your Windows folder (module included in Admilink).
All documentation on Russian :). Teach russian or ask me for additional help

P.S. It's FREE for non-comercial use.
P.P.S It has lots of additional functions

user35115
  • 71
  • 1
  • 6
0

You can use Runas with a utility called SANUR.exe that allows the password to be piped in, instead having it typed!

http://www.commandline.co.uk/sanur_unsupported/index2.html

ggonsalv
  • 390
  • 1
  • 12