I'm currently managing a large group of Windows 7 machines where no one has privileges to install applications (all 64-bit Enterprise version of Windows 7).
Because no one has privileges to install things, we manage software installations in two ways:
- Centrally via software deployment server – we have a product that can run any executable with admin privileges
- Shortcuts on people's desktops for self-service installs/updates
For #2 above I found a .vbs script from Jeffery Hicks that let's us call any executable using the RunAs command and the .vbs script passes in the password.
However, this .vbs script solution is starting to cause us problems because our users are starting to close the runas command window more and more. I've already tried modifying it to call WshShell.AppActivate by process ID, but our users still manage to close it down before the password is entered in via WshShell.SendKeys.
We've tried communicating to our users not to touch the window but that isn't working either.
Are there any solutions out there that will let us call any executable as a different user WITHOUT having to type in a password or wait for a .vbs script to pass in the password?
I found RunasSpc and Steel Run As… is there anything else that people have found that works?
Best Answer
Instead of publishing updates to their desktop and using those scripts (which allow the password to be sniffed out since it has to be passed in plain text to
run as) you should use Group Policy Software Installation in Publish mode instead of Assign mode. This will allow users to go into Add/Remove Programs and install it on demand.