2
2
How can I enable non-admin users to run a certain application (in my case, a script) with admin permissions on Windows XP?
This would be similar to the setuid bit on *nix.
Lev
Posted 2010-02-16T21:38:14.250
Reputation: 245
Allowing non-admins to run programs as admins
Answers
5
There may be a better way to do this, but:
- Create an administrator account dedicated for this purpose
-> Users can now right click and do "Run As" - Apply group policy for that administrator account so they can only run the processes required
You may also want to add the administrator account to "Deny Login Locally" and "Deny Login Remotely", so they can't log in. However I do not know if this prevents them from using "Run As" command.
ta.speot.is
Posted 2010-02-16T21:38:14.250
Reputation: 13 727
1Couldn't they just alter the group policy as well if they're administrator? I mean, “Administrator” means “You're free to do as you please”—is it even possible or feasible to lock-in such a user? – Joey – 2010-02-17T10:54:34.280
If the process that they are granted access to run in Group Policy allows modifying the registry, yes. However, if they are only allowed to run notepad.exe then they are severely limited to what they can do. Conceivably they could use notepad to write a batch file that parses the registry.pol files for Group Policy and change what processes they are allowed to run, save the batch file into another administrator's startup folder and wait for the other administrator to log in. If these are public terminals with software like DeepFreeze installed and nightly reboots this is less of a problem. – ta.speot.is – 2010-02-17T12:40:50.553
Remember though that yous script likely runs through an interpreter. And Said interpreter needs the access. So the user is free to do anything the scripting language would allow him. I'm not aware of restricting access to only a certain command-line; that's only program-level restriction, afaik. – Joey – 2010-02-17T11:00:19.600