Run as Admin
Posted by Lopsided-Ask-1930@reddit | sysadmin | View on Reddit | 30 comments
We are incorporating a software that needs to be run as administrator. I made sure that domain admins are on the local admin group. I go to properties > compatibility > run this program as admin checkbox > Change settings for all users > run this program as admin. When a non-admin account opens the software, they get the admin authentication prompt. What am I missing?
SuspiciousSpot8478@reddit
To run applications as administrator while still being a standard user, you need to use an Endpoint Privilege Manager. They let you elevate individual apps through policies or a request release mechanism. You can take a look at Securden EPM. It is available to self host and also in SaaS models.
ZAFJB@reddit
Just NO! Use dedicated admin groups, not the global domain admins.
Domain admins should only contain actual top level domain admin accounts, not daily driver admin accounts.
Legal2k@reddit
Well first thing is to stop logging into workstations as a domain administrator. Secondly most of the cases software wants to write to a folder that is not usually writable by normal user, or some stupid registry hive. Using procmon there is a chance that you can catch that.
Lopsided-Ask-1930@reddit (OP)
Thanks!
Lopsided-Ask-1930@reddit (OP)
Thanks guys. I am trying to avoid regular users being local admin and thought having the app run as admin for all users would fix this. From what I am reading, it seems like it won’t.
N0bleC@reddit
You mentioned you have your Domain Admins set as Admins on your clients. I suppose they are also able to login to your clients. From what i know, thats not best practice. Better have a separate group for Users which have Admin rights on your clients. Also Domain Admin should not have rights to login on any system besides DC. (For bonus points, make another group for users with admin/logon rights for servers which are not DC)
anonpf@reddit
See my reply. This method should allow a program to run the app with admin privileges for non admin accounts.
anonpf@reddit
Log on with admin privileges
Right click on the exe or shortcut, click properties, click compatibility, click run program as administrator.
Click ok
Test the app with a regular user account
BlackV@reddit
isnt that exactly what they did in the OP?
Lopsided-Ask-1930@reddit (OP)
Yep
anonpf@reddit
lol read g comprehension failure on my part. Sorry about that 😂
Did you adjust the ntfs permissions and give the user full control over the installation directory?
Lopsided-Ask-1930@reddit (OP)
Tried this. I thought the run as admin would open the program with a non-admin account but only prompt the non-admin account for admin authentication.
BlackV@reddit
you are forcing it to run elevated, this kicks up a UAC prompt, this is by design
Lopsided-Ask-1930@reddit (OP)
Excellent tips! Thanks
LawstOne_@reddit
Check with the software vendor. Any modern user facing software should not need run as admin. It’s common now to that end users are not local admins
Lopsided-Ask-1930@reddit (OP)
Will absolutely check with them
Overall_Finding_586@reddit
If you want users to be able to run certain programs as admin without giving them local admin. You can set up the apps with Endpoint Privilege Management in Intune if you use it.
incompletesystem@reddit
Honestly the first thing I’d do is push back at allows software that must run as admin. Seems like a liability.
If you have the budget something like ThreatLocker elevation control can allow admin for a single app (by cert, path, hash or combination). The advantage is this still runs as the standard user profile and only that app. Seamless for the user and no creds to remember.
Lopsided-Ask-1930@reddit (OP)
Thanks! Will look into this.
Proof-Variation7005@reddit
Also, this might work where you just use a local admin account and just change the executable: https://community.spiceworks.com/t/man-ups-allow-users-to-update/1007606
Threatlocker would be more ideal though, that or getting the software vendor to fix their shit.
ArsenalITTwo@reddit
You can shim the app with Microsoft Application Compatibility toolkit. Otherwise I'd recommend Beyondtrust, Admin by Request or Auto Elevate.
BenadrylBeer@reddit
2nd for BeyondTrust
bobmlord1@reddit
The user account has to be in the local PC's administrator group. Selecting run as admin just makes it default to prompting.
ArsenalITTwo@reddit
Except that is dangerous. Safer to shim it or get an app to elevate the token.
bobmlord1@reddit
Never said it wasn't lol.
ArsenalITTwo@reddit
lol. Yup I know but I would preface that in there. Some people will take what you say verbatim here.
scubafork@reddit
Telling windows to trust a program and automatically open it up as an admin by a non-admin user would be a *gaping* security flaw. So Windows correctly asks for elevated permissions to be provided.
I would push back on the vendor. No user level software worth paying for should have that kind of weakness.
Master-IT-All@reddit
That sounds like user account control, not a permissions issue.
BornAgainSysadmin@reddit
I thought this too, but had to read the post twice. It is a permission issue, sort of. If I got the story straight, OP is trying to run the app as admin without using an admin account and is possibly confused as to what run as admin means.
no_regerts_bob@reddit
This is expected behavior. The user isn't an admin, but the program is set to run as admin. So the system is prompting for admin credentials to run the program.