Windows – Allow Standard User to Run Program as Local Admin Without Elevation Prompt

powershellwindows

I work in an environment where local admin privileges for users isn't allowed. At all. This is very nice, but can be also be a pain when employees who must have local admin permissions to run a program or install software that requires elevated privileges even if only to do the install. There is a user in bookkeeping who receives a monthly DVD from a vendor of ours that contains much needed reports. In order to look at the reports and make a backup, she must run the executable on the DVD. The executable requires Admin privileges for the install. So since I've been here, every month I run the .exe, UAC appears and I supply the much-needed information to run the installer.

If this was a one time program I would use the Microsoft Application Compatibility Toolkit gimmick to bypass UAC http://www.techrepublic.com/blog/windows-and-office/selectively-disable-uac-for-your-trusted-vista-applications/ However, since this is a new DVD sent to her each month I need some kind of tool she can use herself for this operation.

I have looked around Server Fault and also did Google-Fu, but haven't found anything useful. I might be one of some in a unique situation.

I want to use Poweshell to make the tool. Ideally, I want her to be able to put in the DVD and then launch the Poweshell tool (from her desktop shortcut, no doubt) that looks at the DVD drive and runs the setup.exe file as a local admin without the UAC prompt, without her having to supply any credentials.

What I have so far is some pieced together junk at the moment. I am not a Powershell Jedi. I am a Poweshell padawan. I have half of what I need. I still need to store the password so it doesn't have to be defined and input each time she runs the script. I want this to be as smooth and as few clicks as possible.

For the creds I am choosing to go with the local admin account since that password doesn't change. The local admin account will get the job done. I will need to store that account information on the computer so Powershell can retrieve the account each time she runs the script. So this will need to be an encrypted file in a path variable. 

# define path to store password and input password 
$path = "C:\Users\User\Password folder"
# get the encrypted local admin password from user path
$encpwd = Get-Content $path\admin.bin
# convert admin file to secure string 
$passwd = ConvertTo-SecureString $encpwd
# define local admin credential 
$cred = new-object System.Management.Automation.PSCredential 'computer name\local admin',$passwd
# go to DVD drive launch setup.exe as local admin with no user input required
Set-Location D:\
Start-Process PowerShell -Cred $cred -ArgumentList .\setup.exe

I might get a few downvotes for this, but I know somewhere I need to define and put in ""Read-Host "some text about entering password" -AsSecureString"" in an existing variable or a new variable. I have to get the password input into the process. I have tried a few spots. Thoughts? Wisdom? Impossible?

Windows 7 Pro
Powershell v4

Best Answer

Run As Administrator Without Being Administrator

Allow a non-admin user to run a program as a local admin account but without elevation prompt

Below are instructions for setting up a workaround to get an application to run as another account that is a local administrator. The account that executes the process does not need to be a local administrator on the PC though.

The Windows Workaround (see all below notes)

Examples

  1. Create Username (domain or local): ProxyRunAsLocalAdmin

  2. Create Password (domain or local): <SomeComplexPassword>

Notes

  • This account is setup as local admin on PCs where something needs to be run with admin permissions without actually giving the end-user which will run it (execute) local admin permissions.

  • This is a last resort option for things which will not work for non-admins on the local machines where giving their account (the end-user and/or some group) explicit registry and file system level object access does not work.

Security

  • No one is to have this information other than domain administrators—i.e. don't share with the end-user.

Creating a shortcut with the RUNAS (this could be D:\Setup.exe)

Shortcut Properties Example

TARGET Field Example (below):

%systemroot%\system32\runas.exe /user:domain\ProxyRunAsLocalAdmin /savecred "C:\Program Files\BlueStacks\HD-StartLauncher.exe"

START IN Example: "C:\Program Files\BlueStacks"

enter image description here

IMPORTANT: The double-quotes around the Start In: field may be required whether or not there are any spaces in the path.

Additional Setup Notes

  • You can create a domain user account or a local PC user account for this purpose and give it local admin permissions to the local machine whenever such a solution is needed.
  • You'll have to run the shortcut with the "RUNAS, etc." when signed onto the PC as the user that will need to execute that process without being a local admin themselves. When you do this, you will be required to type in the credential—caching it this ONE time but it'll not be needed on each subsequent execution of the process using the RUNAS and /SAVECRED again from that SAME user account profile moving forward.
  • This password to this account is NOT shared with anyone, only the domain\systems admins have this information and plug it in wherever needed per user per machine—it is a per Windows user account profile type deal as well. So, if you create a new profile for a user and this solution is needed, then the shortcut will need to be run again so the credential is cached for their profile as well (by an admin).

Security Notes

  1. You cannot restrict local login access for the account through group policy or the account will not be able to RUNAS interactively—I already tried that for security but I could not get it to work properly.
  2. Since this is a cached credential with local admin permissions on it, technically an end-user where this is saved could apply this same RUNAS technique to another EXE or via command line if that's allowable. This means you as the admin need to weigh in the upsides and downsides with this solution including the risks. Perhaps allowing this for your trustworthy people or items that are ongoing or needed over and over again without actually granting the end-user local admin is fine.

Controls

You do have some controls in place for this solution though such as . . .

  • Pick which machines you want to allow this to run runas from
  • Pick which user profiles on each machine you want this to runas from
  • You have to go to the user profile on this machine and type in the credentail the initial time regardless
  • The exposure is to local machine at the PC level, not the domain level since the local or AD account is a member of the local machine IP address
  • Don't give this account any network resource access to anything (only local PC admin per each individual PC as-needed)
  • If you ever want to do a mass disable of this feature (assuming using a domain account) then simply disable the account or change the password
  • Ensure that others are aware of some of these ramifications, etc. and get them to approve so you're not the person making the decision to use this or not
Related Topic