Software require admin privilege to run on machine, how to assign rights on OU in domain invironment

Question

Hi, I have configured Domain on server 2012 R2 Standard and the user joined the domain as a domain user only, the problem is coming to run one software that requires administrator rights on the machine. I don't want to give that user full administrator rights just I want to allow that software to run by default admin rights. is there anyway then please suggest me. if you have any idea how to create a group policy for the same please let me know.

Answer 1

It would be a huge security hole to allow a non-admin to run an admin only app. Just think of what hackers could do with that kind of permission.

In order to run an admin-only app on a machine the user running it must be an admin. You can of course use UAC to have the user elevate or you can have the user right-click the app and select Run as Administrator and then an admin enter their credentials. Neither of these probably solve the problem you have though.

A hackish workaround that might work is to create a scheduled task that runs under an admin account and can be run manually. The user could then run the scheduled task which then runs under the admin account. Depends upon the app and your network setup as to whether this would work correctly or not though.

Of course if the user just needs local admin rights and you're fine with that then you can set up a GP to have an AD role added to the local administrators group. Then add the user to that AD role. That is how we give our devs admin privileges to their own machines.

Answer 2

Hi,

Thank you for posting in our forum.

As the expert above said, allowing non-administrators to run administrator-only applications is a very insecure thing, so Microsoft does not recommend using non-administrators to run administrator applications.

If you insist on doing this, you can try the information provided by the experts above.

At the same time, this link can provide you with reference
reference： https://www.ibm.com/docs/en/spectrum-control/5.3.6?topic=configuring-granting-local-administrative-privileges-domain-account

Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

Hope this information can help you

Best wishes

Vicky

Answer 3

Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Vicky

Answer 4

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
Best Regards,
Vicky

Answer 5

@Birendra Kumar

I know this post is a bit stale but a lot of people struggle with this and I hope if this doesn't help you, it'll help others like you.
It is always better to discuss these things with the vendor of the application and see if there is a recommended path.

In barring this, there are a number of steps a systems engineer can take to discover this and understand what needs to change. One approach is to simply to perform a "WhatChanged" review before and after installing the application. This can help give a much deeper insight to what folders, files, and registry views that may be used by the application. It isn't likely (though it can happen) that the system will write to a pre-existing folder. This can usually give some clarity.

You can also try to sandbox it and take a look at all the disk-write events that may occur. This can give insight to how the application functions a bit and can show-case that space.

With that approach like this, you can usually track down what permissions you need to change no matter the application.

But, documented and practiced is better than winging it. If you don't know, partner up with an SME in this type of support.