Home / server / Questions / 178360
Accepted
GBC
Asked: 2010-09-06 17:22:42 +0800 CST

Grant admin rights to a certain program for all users?

  • 772

I have a program installed on my W2k8 R2 server which needs admin rights to start.

I have 5 users using remote desktop to remote into the server to use that program. I don't want to give those users admin rights, but I do want them to be able to run the program properly.

Is this possible?

windows-server-2008 active-directory

5 Answers

  1. Your best bet is to figure out which registry keys and directory locations that the program needs access to, and give your users access to just those areas.

    You can use a tool, like Process Monitor from Sysinternals for that. Simply log in as the user, start Process Monitor, and run the program and make note of the areas denying access.

    I would probably use a Security Group in AD, and then give that Security Group access to those system locations. All you would have to do then is add users to that Security Group and they will be able to use that program on that system with their own credentials.

    • 7

  2. Definitely use Cypher's suggestion. I've solved many pesky application issues by granting a user modify rights to specific install directories via security groups (and if needed reg keys). Unfortunately this assumes a half way competent programmer wrote the app and there aren't one or two files in c:\windows or c:\windows\system32 that needs the same access.

    • 2
  3. Best Answer

    Thanks for the answers, this is how I ended up solving it:

    1. Create a Scheduled Task in the task scheduler. The scheduled task launches the application. Set the task to run at highest privilege level.
    2. Create a shortcut on the desktop of all the users needing to run the application. The shortcut ended up looking like this: C:\Windows\System32\schtasks.exe /run /tn "Name of task"

    The only downside of this is that i need to create a separate task for every user, but I think it works just fine.

    Thanks everyone.

    • 1

  4. The only downside of this is that i need to create a separate task for every user, but I think it works just fine.

    Why not create an "applicative user" - used only for the task and that only you know the PW for.

    This way you dont need to create a separate task per user and at the same time grant this user admin rights to the app.

    • 1

  5. Windows doesn't have the "setuid" concept from UNIX. There's really only two ways to get to where you're after:

    The first option is to do a "run as" type scenario, where the logged-in user needs to have the appropriate password for the elevated user. The other is to write a "helper" service that runs with administrator privileges (as services generally do) which will then grant elevated privileges to the user for that one process.

    I'm a bit fuzzy on the details of this second option, but I've seen it done before at a company where I used to work.

    • 0