How to launch a GUI Windows application with administrator rights without asking for the pasword from the user?

The user using the computer logs-in to the Windows 7 Professional system through an Active Directory domain and has no administrative rights.

I am the administrator and can give him the rights but, for obvious reasons, don't want to.

The user needs to use one special application (a surveillance dashboard) that demands local administrative rights.

So I need the user to be able to run this (and only this) particular application in elevated rights mode without knowing the password (I don't mind to enter and save it for this shortcut but I couldn't find such an option). And/or (both, ideally) the application to start up (elevated) after the user logs in.

I understand that this is going to be a security breach anyway, but there is hardly any choice.

I have tried adjusting the shortcut properties in many different way with no luck - it still asks for an administrator credentials.

I have also tried experimenting with Task Scheduler but the best result I reached is the application running invisibly with no GUI shown (in all the other set-ups the task was just failing to start).

Any suggestions?

Ivan

Posted 2013-06-21T14:11:40.523

Reputation: 6 173

I think it is not possible to run the application without admin creds. unless user has Administrative privileges. – Dilshod – 2013-06-21T14:16:05.933

Answers

PROBLEM: You're trying to run these computers like a responsible admin, by not giving user's admin rights, and some crappy company writes some crappier app that wants admin rights to run

SOLUTION: Shim it! Use the Microsoft Application Compatibility Toolkit

In computer programming, a shim (from shim) or shiv is a small library that transparently intercepts an API and changes the parameters passed, handles the operation itself, or redirects the operation elsewhere. They fix Compatibility issues for older applications which still rely on the older functionality. In such cases, the older API can still be supported by a thin compatibility layer on top of the newer code. Shims are used for running programs on different software platforms than they were developed for. (Source: Wikipedia)

I.E. a program that was written for XP and insists on running as an admin Look into shimming the application. It's like the Jedi Mind trick of IT. Shims will allow you to trick the program into thinking it has admin rights. Chances are all it really needs is just read/write to c:\program files\crappy company\crappy app or one single regkey.

http://blogs.technet.com/b/askperf/archive/2011/06/17/demystifying-shims-or-using-the-app-compat-toolkit-to-make-your-old-stuff-work-with-your-new-stuff.aspx

http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx

MDT Guy

Posted 2013-06-21T14:11:40.523

Reputation: 3 683

You can Schedule Task that monitors for log activity (watch EventLog for the Security ID of successful login) and start the application as a task and change the run task as to an administrator account. That'll ask you to enter the password once, then it'll save.

user2480011

Posted 2013-06-21T14:11:40.523

Reputation: 66

If I do so, the process of the application starts belonging to the administrator and the user can neither see it in the processes list (in Task Manager) nor... tada! nor see its damn window! So this makes no sense in my case as I don't need to execute a background task - I need the user to see the application window and be able to use it interactively. – Ivan – 2013-06-21T17:58:28.370

Configuring the task to run for the user (not andministrator) but with "highest privileges" helps neither. – Ivan – 2013-06-21T18:00:46.757

Hmm... Another way I know it works (because I've triggered remote installation on PCs) is to use psexec with the following options:

PsExec.exe -s -i \\{hostname} cmd /c "start "" "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe""

I've tried to start a .bat file which executes a psexec.exe with the following switch and made that .bat file run as an Administrator on Scheduler, but that doesn't seem to work. I need more time to troubleshoot this. On the mean time, you can start the application on the user's request from your PC with run as an admin account of the user's PC. – user2480011 – 2013-06-21T20:23:48.413

This command will work as well: PsExec.exe -i -s \\{hostname} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd /c "start "" "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe"" – user2480011 – 2013-06-21T20:28:57.000