Allow user to run application as a power user

Hello,

I have an application that I am distributing with SMS. The problem that I
am having is that the application, now on the target machine, requires power
user or admin privledges to run. I can run the application via sms in the
system context, but that will not help, since the app configures the user's
environment.

So unless someone knows of an easier solution, I need to run a script, in
the system context that makes the current logged on user a member of the
local power users group, if they are not already a member of that group or
the admins group and then run the application under the user's context.
Finally, after the application is complete, the script, under the system
context again, would then revert the user back to his former permission
level, i.e., return user to former group memberships.

I don't think that this can be done with one script, because of the context
issues. But, since I am using SMS, I can use three different scripts and
chain them together.

1. Promote the current logged in user to a member of the local power users
group, if needed.
2. Run the application under the user's context.
3. Demote the current logged in user back to his original group memberships.

Since we don't normally allow membership in the power users group, I guess
it would be ok to specifically remove the user from the power users, but if,
in the future, we did allow permanent power users, this approach could cause
problems.

Another concern is security. I realize that during the period between the
first and third scripts that the user could exploit the elevated privledges.
Worse yet, they could kill the process before the third script can run, which
would leave them in the elevated state.

Unfortunately, I am really just learning to script, so the details are
currently beyond me. I am not sure if these scripts should be in VB or not.
If anyone could offer suggestions or point me in the right direction, I would
be grateful.

Thanks,

Ed
.

Relevant Pages

  • Re: Allow user to run application as a power user
    ... > the system context that makes the current logged on user a member of the ... > Finally, after the application is complete, the script, under the system ... > Since we don't normally allow membership in the power users group, ...
    (microsoft.public.scripting.vbscript)
  • Re: Allow user to run application as a power user
    ... The vendor has provided a script ... >> the system context that makes the current logged on user a member of the ... >> Since we don't normally allow membership in the power users group, ...
    (microsoft.public.scripting.vbscript)
  • Re: Power User Setting Not Saved
    ... when I say "local user" I mean the login name that is typically used ... user that is a member of that OU then be a Power User? ... There are two ways to do Restricted Groups - members of this group or this ... membership of the Restricted Group [power users in your case] will be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User rights assignment in XP Pro
    ... > So why not use the MMC to get true control of the user accounts? ... Now it says Fred is a member of "Power Users". ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Disabling sharing tab in client systems
    ... removing them from the power users or administrators group and making sure ... that they are only regular users. ... member of a domain group that is a member of the local administrators or ... power users group on his computer. ...
    (microsoft.public.windows.server.security)
Loading