The short answer: DO NOT DO THIS. You're only going to open your system to a HUGE, and I do mean HUGE system security flaw: Once you /savecred, you're saving your admin password to the users profile, UNCONDITIONALLY, for them to use any time, any way they like. That means, once saved, they can launch a console window (CMD prompt), type in "runas /savecred /user:administrator cmd.exe" and instantly launch a new command console with full admin rights to do anything they want. You probably do not want them to be able to do this!
What I think you really want is to allow any user to run a specific command without being asked for elevated (admin) permissions or needing to enter an admin password. For this, there is a secure and working solution in modern Microsoft(tm) Windows operating systems: Set the program to run as a scheduled task with the specific access rights that the program needs. You might create a user account specifically for this program, or you might just use the admin/system credentials for this, and only this, program. Here's how..
First, you need to set up a scheduled task, like any other scheduled task. You must assign it a specific command line (so if you need to pass parameters to the task, you'll have to use scripting or batch files to create an "parameter file" to pass the parameters to the program, or use some other method to do so.. This solution isn't perfect!). You can then assign it whatever security rights you need to give it. Name it something appropriate--and avoid the use of spaces in the name to keep it simple; We're going to be using this name to actually run the program when your user needs to run it. Also, do not schedule an actual time to run the task, since we'll be calling it to run on demand in a moment, rather than always running at a specific time.
Once the task is created, the next question is going to be "How do I RUN it?" Well, you either create a shortcut, or a batch/script file, which will call the scheduled task to run: "schtasks /run /tn name-you-gave-the-task-above". So, if you created a task called "AutoAddLocalPrinters" (a common admin task, for example), you'd create a batch file or shortcut to run the command "schtasks /run /tn AutoAddLocalPrinters" (if you did name it something with spaces, you'll have to put the entire name in quotes--this is why I avoid spaces in names).
Note that the only time it requires admin rights or a password is when setting up the scheduled task. Just running the task once set up does not need a password, does not ask for one, and most importantly, does not globally and blindly save the admin password to the users profile. It's saved as part of the scheduled task, which only affects that, and only that task, and won't let the user modify or change it, or start a new elevated console prompt with it, etc.
Furthermore, you can adjust the permissions on the scheduled task to allow only certain user groups to run it, and so on. You can further fine tune it by creating special user accounts or batch/script files with which you can check and validate any permissions of criteria you desire. For example, if you have children, you can create a script which checks if it's past their bedtime before allowing them to launch their chat program.. ;-) In short, you can pretty much do anything you want or need to do to validate and control how the program is run (or denied).
Finally, one more advantage (or disadvantage..) to doing it this way: It works on just about every edition of Windows where you can schedule tasks and run the "schtasks" command. For example, my understanding is that Windows Home editions ignore the /savecred option of "runas" anyhow, so you'll always have to provide the password. A scheduled task will run with the credentials you set it up with, even in Home editions.
Footnote: I mention this because I usually remove many program paths from the system PATH variable, and add "C:\sys\admin;C:\sys\bat;C:\sys\bin" to the system path. Then under the "C:\sys*" folders (you'll need to create them, obviously), I create individual batch/script/shortcut files which call the real programs or scheduled tasks. This way, I have complete control over who, what, when, where, and how various programs are allowed/disallowed to run. It also helps prevent stupid errors--One error I've actually encountered was one of my end-users trying to convert a file and running the "convert" command without knowing what they were doing. Since Windows already has a "convert" command, which converts FAT to NTFS, all they managed to do was convert their file system.. They got lucky and it still worked since their computer didn't care if the file system was FAT or NTFS. But now I always have a C:\sys\bat\convert.bat file which slaps them on the hand and tells them to talk to me before trying to run this command.. ;-) I do the same with many other potentially dangerous or power-user commands that can seriously cause problems when mis-used/mis-typed.
Good luck!
2Add note: If you've already *EVER* run "runas /savecred ..." under the user account, you'll have to remove the saved credentials with this command: rundll32.exe keymgr.dll, KRShowKeyMgr -- You'll also be able to see a list of any credentials the user will be able to use with "runas". – C. M. – 2015-04-20T17:32:51.733
which is safe solution ? – Kiquenet – 2020-01-21T09:47:08.223