I'm a new senior sys admin at a small company, and my task is to remove local admin access from users on their workstations. There's one application that updates frequently—about once or twice a week—and requires admin access to function properly. The users have mentioned it can't be used without these updates. I've tried granting them full access to the app files in the program files (x86) directory, but that hasn't resolved the issue. My attempt to use Process Monitor to see what permissions are needed didn't pan out either, as I struggled to interpret the results.
Additionally, these users aren't always connected to our domain since they don't need any in-house resources, which raises questions about whether solutions like LAPS would be effective. It feels like the users prefer to have minimal interference and just get their work done. I'm considering giving them power user access temporarily until we're able to join them to Intune for better control. Has anyone faced a similar situation who could share insights or solutions?
5 Answers
Using AutoElevate has been a huge lifesaver for us! I can't recommend it enough; it's straightforward and effective.
I had a similar situation ages ago. I reached out to the software vendor directly, and they provided an enterprise installer version that could be deployed via GPO instead of the regular installer. It worked out really well for us!
I did that too! The vendor had a registry tweak to allow updates without needing admin access. Just ask them!
If you've already adjusted permissions for all necessary registry and file locations, using the Application Compatibility Toolkit (ACT) to configure a shim might be next. Shims can help disable admin triggers, potentially alleviating the UAC prompts. Just be warned, it may not work if the application is hard-coded to ask for admin access.
I think I might not have given the program all the permissions it needs. What tools have you used to audit permission requests?
If you go that route, check out some YouTube tutorials on Process Monitor—those can be really helpful!
Another good solution is AdminByRequest paired with whitelisting the app or update utility. This can act as a temporary fix until you transition to Intune. It's also easy to implement.
That sounds interesting! I think I might need to dive deeper into this.
Consider solutions like AutoElevate or another Privileged Access Management (PAM) tool. They're designed for this exact type of scenario. Just make sure you've reached out to the vendor first for guidance; they understand their product best.
Haha, right? They'll definitely have better insights than Reddit!
Absolutely, it’s proven to be one of the best tools we’ve used.
Has anyone heard that AutoElevate is only selling to MSPs now? That's what I was told.
I think that's the way to go for me too. In my previous jobs, vendor help wasn't always reliable, but this seems crucial. Thanks for the tip!