Re: Allow user to run application as a power user

---

• From: Ed Murphy <EdMurphy@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 26 May 2005 09:30:03 -0700

---

Thanks for the reply. I didn't realize that the user had to log out and then
back in. I have seen a script that used the net localgroup /add command but
it requires that the admin and the user enter username and passwords because
it uses the runas command.

Since I am using SMS I can set the programs running the scripts to log out
after running, but I think that would be a little annoying to the users. The
application in question is a configurator, which sets up the users
environment for other applications to run. The vendor has provided a script
which the non-privledged user can run each time they want to run the
application, but it seems like a very cumbersome approach.

Thanks again,

Ed


"Björn Holmgren" wrote:

> "Ed Murphy" <EdMurphy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:2139A0D4-CB28-45F1-BC9C-249F2B36D74A@xxxxxxxxxxxxxxxx
> > Hello,
> >
> > I have an application that I am distributing with SMS. The problem that I
> > am having is that the application, now on the target machine, requires
> power
> > user or admin privledges to run. I can run the application via sms in the
> > system context, but that will not help, since the app configures the
> user's
> > environment.
> >
> > So unless someone knows of an easier solution, I need to run a script, in
> > the system context that makes the current logged on user a member of the
> > local power users group, if they are not already a member of that group or
> > the admins group and then run the application under the user's context.
> > Finally, after the application is complete, the script, under the system
> > context again, would then revert the user back to his former permission
> > level, i.e., return user to former group memberships.
> >
> > I don't think that this can be done with one script, because of the
> context
> > issues. But, since I am using SMS, I can use three different scripts and
> > chain them together.
> >
> > 1. Promote the current logged in user to a member of the local power
> users
> > group, if needed.
> > 2. Run the application under the user's context.
> > 3. Demote the current logged in user back to his original group
> memberships.
> >
> > Since we don't normally allow membership in the power users group, I guess
> > it would be ok to specifically remove the user from the power users, but
> if,
> > in the future, we did allow permanent power users, this approach could
> cause
> > problems.
> >
> > Another concern is security. I realize that during the period between the
> > first and third scripts that the user could exploit the elevated
> privledges.
> > Worse yet, they could kill the process before the third script can run,
> which
> > would leave them in the elevated state.
> >
> > Unfortunately, I am really just learning to script, so the details are
> > currently beyond me. I am not sure if these scripts should be in VB or
> not.
> > If anyone could offer suggestions or point me in the right direction, I
> would
> > be grateful.
> >
> > Thanks,
> >
> > Ed
>
> Hi Ed,
>
> My main concern with your proposed solution is that in order for the system
> to recognize the user as a power user (ie member of the power users group),
> the user would have to logoff/logon before starting the application (but
> after joining the power users group).
>
> The best solution IMO - if at all possible - would be to find out exactly
> what makes the application require poweruser/admin privileges, and then
> tweak the installation package to give normal users the rights needed, for
> instance via secedit. If security changes are extensive, it's probably
> better to just grant the user power user privileges permanently (or for as
> long as he/she is using the application).
>
> --
> Björn Holmgren
>
>
>
>
.

---

• References:
  • Allow user to run application as a power user
    • From: Ed Murphy
  • Re: Allow user to run application as a power user
    • From: Björn Holmgren

• Prev by Date: Re: How to create a "Array of Bytes" in VBScript?
• Next by Date: Re: "Reverse Order"
• Previous by thread: Re: Allow user to run application as a power user
• Next by thread: Can you end a process from vb script?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Allow user to run application as a power user ... > the system context that makes the current logged on user a member of the ... > Finally, after the application is complete, the script, under the system ... > Since we don't normally allow membership in the power users group, ... (microsoft.public.scripting.vbscript) Re: Forms Security ... I re-read your earlier posts and applied the registry settings, ... > Administrators, Power Users, and Developers ... >> script. ... (microsoft.public.office.developer.outlook.forms) Re: Restrict membership of Power users local group ... I've saved this script into a batch file. ... >>to Power Users group. ... >@echo off ... (microsoft.public.windows.group_policy) Allow user to run application as a power user ... system context, but that will not help, since the app configures the user's ... the system context that makes the current logged on user a member of the ... Finally, after the application is complete, the script, under the system ... Promote the current logged in user to a member of the local power users ... (microsoft.public.scripting.vbscript) RE: Deploying user list to workgroup ... open the script in notepad and put an appostrophe before the line on error ... Nick ... >> -adds users to Power Users group, change to desired group if Power Users is ... >> - on the same workstation create the text file enjoy.txt open it and past ... (microsoft.public.win2000.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)