+ Reply to Thread
Results 1 to 7 of 7
  1. #1
    Campaign
    Join Date
    Feb 2010
    Posts
    6,995
    BG Level
    8
    FFXI Server
    Sylph

    Exempting a single program from UAC

    Hey all,

    Domain computers, a program needs to be run by two people on Windows 7 machines.

    Both users are standard users, not administrator accounts.

    Can't upgrade the accounts because we don't want to.

    Can't turn UAC because we don't want to.

    These users have a piece of software that needs administrator rights to run. I want to exempt this single program from UAC. I saw some for-pay software that does it, but the company doesn't want to pay for such a little issue.

    Is there a way to allow the users to run a single program without prompting the UAC prompt> I tried adding them and giving them full/modify permissions to the folder, but no love.

    Anyone seen/dealt with/fixed before?

  2. #2
    Puppetmaster
    Join Date
    Jun 2013
    Posts
    63
    BG Level
    2
    FFXIV Character
    Oreo Ku'ki
    FFXIV Server
    Gilgamesh

    You'll need to hand credentials to either a runas shortcut that opens the application as a service account with admin privs on that computer, or create a scheduled task that has those credentials and can be a shortcut to run that task on the desktop. It's pretty much just user impersonation. I suggest using a service account vs a domain admin so it's easier to audit access logs.

  3. #3
    Hyperion Cross
    Join Date
    Jan 2007
    Posts
    8,667
    BG Level
    8
    FFXIV Character
    Kai Bond
    FFXIV Server
    Gilgamesh

    Alternatively, probably sitting on the workaround tier if Tancients' suggestion isn't possible, virtual machines! lol -- overkill of course (and will only be terrible if the machines have sucky CPUs)
    Or, Citrix if it's available.

    And the last awkward method, we have a Microsoft SQL Server Enterprise Manager app (I forget version, not seen it for a while) where the user remotes desktop onto a server to where the app is installed, but it is incredibly locked down. The only stuff available to him is the app itself, notepad, paint, and his shared drive. He can only log out of the box otherwise, everything else is on lockdown.

  4. #4
    Campaign
    Join Date
    Feb 2010
    Posts
    6,995
    BG Level
    8
    FFXI Server
    Sylph

    Quote Originally Posted by The Stig View Post
    Alternatively, probably sitting on the workaround tier if Tancients' suggestion isn't possible, virtual machines! lol -- overkill of course (and will only be terrible if the machines have sucky CPUs)
    Or, Citrix if it's available.

    And the last awkward method, we have a Microsoft SQL Server Enterprise Manager app (I forget version, not seen it for a while) where the user remotes desktop onto a server to where the app is installed, but it is incredibly locked down. The only stuff available to him is the app itself, notepad, paint, and his shared drive. He can only log out of the box otherwise, everything else is on lockdown.
    Neither one of these are realistic options. They are non-IT and technologically illiterate people. They need to be able to access the camera system for child care remotely. If it is more complicated than double-clicking the icon, it won't work.

  5. #5
    Hyperion Cross
    Join Date
    Jan 2007
    Posts
    8,667
    BG Level
    8
    FFXIV Character
    Kai Bond
    FFXIV Server
    Gilgamesh

    Ah fair enough.

    Tancients' suggestion will work but as said admin account details would be required.

    I had a look too out of curiousity and found this : http://superuser.com/questions/99286...s-on-windows-7
    2nd answer links to a Microsoft Tool. Not sure if Admin is required for this on the user's side, but the sole reply to it is a bit ... worrying? However it scored 6 ... !

  6. #6
    Puppetmaster
    Join Date
    Jun 2013
    Posts
    63
    BG Level
    2
    FFXIV Character
    Oreo Ku'ki
    FFXIV Server
    Gilgamesh

    The admin credentials would be saved and you wouldn't have to provide them to the end-user at all. It'd be as simple as a shortcut on the desktop that "just works" as far as the user is concerned.

    Going off of Stig's suggestion you could have an app server that pushes an application out when the user clicks on a shortcut, but since you stated this only impacts two users, I figured you didn't want to engineer server space for that. Virtualization can be setup to do a lot behind the scenes and something like Xen App allows you to do exactly what you need for a multitude of users. Windows remote desktop server, if you have one, has the ability to create customized app executables that run on a server but act like an application on the user's desktop.

    I've been working on engineering internet-less mobile environments so I've seen a lot of various implimentations, but most are beyond the scope you provided in the original post.

    Hopefully the application isn't some backwards database app that references multiple executables to access various menus. In which case a virtualized app is really the only solution if you don't want to go the other route.

  7. #7
    Murder machine with a motor in her nose
    Join Date
    Apr 2007
    Posts
    368
    BG Level
    4
    FFXI Server
    Carbuncle

    Let's get crazy:
    http://www.howtogeek.com/howto/windo...windows-vista/

    This does work in Win7 last I checked.

    (yes, i realize this was mentioned before but this is the exact steps to do it)

    The benefits to using the task scheduler workaround is that the process runs under the user's account, rather than under a different admin/system account. Per microsoft:

    "If you select the checkbox labeled Run with highest privileges , Task Scheduler will run the task using an elevated privileges token rather than a least privileges (UAC) token. "

    If you're only deploying this to two users, this may be an easier solution rather than dealing with the Microsoft Application Compatibility Toolkit which, honestly, I couldn't make heads or tails of.

Similar Threads

  1. Replies: 3
    Last Post: 2012-03-09, 00:10
  2. Replies: 7
    Last Post: 2009-08-06, 13:55
  3. Replies: 4
    Last Post: 2008-12-18, 21:38
  4. Replies: 8
    Last Post: 2008-12-03, 19:52