Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Regular users run programs without admin privs?

Feb 29, 2004 2:56PM PST

I am having problems with certain programs in my domain. Some of my computers need to run programs, but these programs for one odd reason or another cannot be run by anyone other than an administrator. I've gone into local security policy settings, software restriction policies, created a new policy, and created a new rule explicitly giving unrestricted access to the programs in question. This solved one of the programs, but the other two STILL won't run without an administrator. I'm trying desperately to maintain the integrity of my network, and I don't want to give away admin privs to anyone who explicitly doesn't need them, but Windows XP keeps forcing me to do so, as certain users wouldn't be able to do things they need to do on their current workstations otherwise. Any suggestions?

Discussion is locked

- Collapse -
Re:Regular users run programs without admin privs?
Feb 29, 2004 8:06PM PST

It's a far from ideal solution, but it's considerably more secure than what you're doing.

Get a couple copies of a program such as VMWare or really any x86 emulation program will do if it can run Windows. Install a second copy of Windows using VMWare, and then install the apps necessary under VMWare. Then you can set a completely different admin password while still allowing the people to run these programs.

Or possibly they could use Remote Desktop/VNC to remotely use another system that is logged in using an account with the necessary access that is otherwise isolated.

Both are rather ugly solutions, and it'll require a little more work on your part, but I'd still say it's better than handing out the admin password to the average network user. Because you just know one or two of them will turn cowboy and abuse that. It also buys you a little more time to try and find an alternate solution (although with Windows, good luck).

- Collapse -
Re:Regular users run programs without admin privs?
Feb 29, 2004 8:40PM PST

You left out the most critical clue. What program?

Just FYI, this is not a new issue. Windows 2000 (and NT) admins have been down this road before. There is no "do-this" cure, but you cure each one as you find it. By leaving out the critical information, I can't tell if I've solved yours before.

Bob

- Collapse -
Re:Re:Regular users run programs without admin privs?
Mar 2, 2004 9:02AM PST

If anyone's interested, I think I found a universal fix for this problem. I finally entered the magical combination of search terms on microsofts website (actually, on their expertzone, and not in their knowledge base) and got a hit that answered my question:

Create a direct access on the desktop with the following runline command: %windir%\System32\runas.exe /profile /savecred /user:Administrator
"d:\setup"

Where 'Administrator' is the name of the account with administrative privileges and d:\setup is the path to the program you want to open under a limited account.

Create this direct access on the limited account, then when you run it for the first time, it will ask for the account's password. Then it will open normally like every other program, and you won't have to type the password each time you open the program.