Run a program as admin

[Hdhsgaydh]

Hi all, first of all I want to thank anyone for any help as it is greatly appreciated!

So, here goes,

The situation: Currently we have an application that requires admin privileges to be run correctly. This is a problem because it means giving all of ours users admin access to their local machine. I've been working here and year and can see already that this is a huge problem and it causes me more work due to people having these permissions "eg, spyware and bloatware"

The problem: I want to be able to use Auto IT to be able to run this program in administrator mode while still keeping the user as a basic user (no install privileges etc) I know that there is the "/savecred" command in the 'runas' tool that windows has built in, the only problem is that each user has to have the password entered before they can use it. We have 30 users and they all switch between machines as its a call centre so having to go around to each machine and type in the password 30 times on each account isn't feasible.

Please let me know if you need anymore information and again thank you to anyone who helps

[JohnOne]

The first thing that springs to mind is that this application should be ran remotely from an administrators machine.

[Hdhsgaydh]

I have put thought to this, but the problem with that is that a lot of the files that it uses are local. Its the worst piece of software imaginable and its been developed by our own in-house devs (all of which were fired long before my arrival here) I've always been taught that giving admin rights to standard pleb users is a bad idea, and this just goes to show it. 

[JohnOne]

Of course, that's standard.

However I did not mean run the app on the admin machine, I mean the app is ran on the local machine, but is executed remotely from the admin machine. All file paths remain in tact.

 

Problem is, I've not worked on such a network so I cannot help you on that score. Suffice to say it is possible.

[jguinch]

A no-secure/dangerous way ;

- Create a local user on each computer, and add it to the local administrators group (or better, use a domain user and a GPO if you have an Active Directory)
- Compile an AutoIt Script containing a RunAs call (which use the username and password of the local user created previously)

Do not hit me, sometimes the simplest solutions are time saving

[Hdhsgaydh]

Ok so that sounds a lot more like it! I have a domain user which has been assigned admin privileges on the local machine. This has obviously been password protected so the minions cannot gain access to the admin rights. How would I go about writing the code for the AutoIT script? I think I have an idea but im brand new to AutoIT and have no idea how the syntax works

[Hdhsgaydh]

Of course, that's standard.

However I did not mean run the app on the admin machine, I mean the app is ran on the local machine, but is executed remotely from the admin machine. All file paths remain in tact.

 

Problem is, I've not worked on such a network so I cannot help you on that score. Suffice to say it is possible.

I'm not sure that would work again in this case as we also need the drives to be mapped to the account. (it needs our q drive to be able to work properly) Unless I found a way to map the q drive on there too, and to of course get it to run the program remotely of course

[jguinch]

Well, it's easy :

 - Open the helpfile
 - Navigate to AutoIt / Function Reference /  Process Management / RunAs and look at the example.

 

[Jon]

Unless the machines are Windows XP that isn't going to work. RunAs doesn't really work as you'd expect in UAC environments since Vista/Windows 7.

Why does the application need admin rights? Does it just need extra file/registry access? Often you can just open up a few file/registry areas and get away with it.

[Hdhsgaydh]

Well, it's easy :

 - Open the helpfile
 - Navigate to AutoIt / Function Reference /  Process Management / RunAs and look at the example.

 

Thank you very much I will go and have a look and update if it all works out

Unless the machines are Windows XP that isn't going to work. RunAs doesn't really work as you'd expect in UAC environments since Vista/Windows 7.

Why does the application need admin rights? Does it just need extra file/registry access? Often you can just open up a few file/registry areas and get away with it.

These are Windows 7/10 machines and I have tried it before and it does work as intended. The problem I have with your suggestion is that no one knows why it needs the admin rights, everyone who did know was made redundant years ago sadly. I'm just trying my best to make the situation better for me and my team with the limited knowledge i have (straight out of uni)

[jguinch]

Jon begins by the begining, and it's the direction that you should take.

With RunAs, the network drives will be lost (because it's a different user context).

If you don't know why your program needs admin rights, take a look at Process Monitor (https://technet.microsoft.com/en-us/library/bb896645.aspx) : if will give you a lot of informations about what happens on your computer. You can add a filter to monitor a given process, then you just have to search for "access denied" in the result. (in theory because sometimes, it's not easy at all).

[JohnOne]

You should at least know what the application does?

EDIT:

Then make a new one.

Edited September 28, 2015 by JohnOne

[jguinch]

j1 will send you a quotation for a new dev

[Hdhsgaydh]

Jon begins by the begining, and it's the direction that you should take.

With RunAs, the network drives will be lost (because it's a different user context).

If you don't know why your program needs admin rights, take a look at Process Monitor (https://technet.microsoft.com/en-us/library/bb896645.aspx) : if will give you a lot of informations about what happens on your computer. You can add a filter to monitor a given process, then you just have to search for "access denied" in the result. (in theory because sometimes, it's not easy at all).

So with that tool I can see exactly where the program is hitting brick walls in terms of permissions?

You should at least know what the application does?

EDIT:

Then make a new one.

Hey, im just the computer engineer. I can't code its way WAY out of my scope I would say even doing this stuff is above and beyond my job description but i'm just trying to help

[jguinch]

So with that tool I can see exactly where the program is hitting brick walls in terms of permissions?

It gives you all registry/files/network/thread events. Try it, you will see (you have to run it with admin rights - runas different user - and run the app with the limited rights)

[Hdhsgaydh]

It gives you all registry/files/network/thread events. Try it, you will see (you have to run it with admin rights - runas different user - and run the app with the limited rights)

I'll give this a go and see what happens. If this fails then I can try the dirty way

[Hdhsgaydh]

Ok using process monitor didn't work, and I tried making my own code using the help section and i coudln't seem to get it to work. I click the .exe that i compiled and nothing happens. It might help if i post my code here for you guys?

 

Thanks

[jguinch]

Yes, post your code