In a domain setting, what's your go-to method for enabling a regular user to launch a particular application with administrative rights? Giving them local admin privileges isn't a viable solution. I often create a scheduled task to run with higher privileges and then provide the user with a script to trigger that task, making it seem like they're just starting the app. While it works, it feels more like a workaround than a clean solution. What do you think is the best practice for handling this in a production environment?
5 Answers
In most situations, it's better to address the permissions problems causing the app to fail without admin rights. This could involve app shims, symlinks, or adjusting permissions on relevant directories and registry keys. It might take some trial and error, but I've had good results getting many older applications to work without needing local admin access.
There are specific tools designed for this, like AutoElevate. I personally use an elevation add-on as part of a Zero Trust Application Security platform called ThreatLocker.
We've been testing the Intune add-on EPM recently, and it seems to perform fairly well.
What about using AppLocker? While it’s great for controlling which apps can run, it doesn’t grant elevated permissions outright. Do you have a particular way of using it to maintain standard user status while still letting specific applications run with admin rights?
We utilize AdminByRequest, and it works quite well. There are various similar tools available, so it's worth looking into.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures