I'm trying to find the best and most secure way to allow certain domain users to run a specific application (like cmd.exe or another tool) with elevated privileges, without making them part of the Administrators group. I've already experimented with Task Scheduler, Group Policy Objects (GPOs), runas, and AppLocker. The goal here isn't to bypass security but to set this up correctly in a managed Windows Server to Client environment.
3 Answers
I haven't tried this out, but PowerShell Just-Enough-Administration (JEA) could be a solid option for you. It allows you to delegate specific administrative tasks to regular users without giving them full admin rights. You can control exactly what commands they can run and even keep track of their activities.
Have you thought about using a Privileged Access Management (PAM) solution? I've had success with Autoelevate, and there are several others with Just-In-Time (JIT) admin capabilities that might fit your needs.
Why do these users need to run these applications as admin? In my case, it was crucial for opening listening sockets during development. Sometimes even updating software requires elevated permissions.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures