RunAsAdmin authorize applications or folders, which contents can start with highest privileges by a limited user.
on a single workstation up to a big domain forest.
RunAsAdmin.exe is the grafical interface to install the service of RunAsRob and set the allowed directories into the registry path of RunAsRob.
If a limited user start an application by a shortcut, created from RunAsAdmin, or drag an drop the application over RunasRob.exe,
the RunAsRob Service check its registry setting, if this is an allowed application.
If it is allowed, the service of RunAsRob start it as system account or as administrator, whichever logon option you set in RunAsAdmin interface.
Default access permissions on microsoft systems avoid that a limite user manipulate registry settings or files in the default program path.
In collaboration with directory permissions, OUs or Group Policies RunAsAdmin can be a versatile tool in a big domain.
Quick guide RunAsAdmin:
Launch a program as limited user with system rights.
Run application under a limited user account as administrator with environment of this limited account.
By folder permissions read rights, you can authorize the users and computers, which can use the allowed directory you set in RunAsAdmin for RunAsRob.exe
In screenshot below, i share 3 central folders software, updates, taxlaw on a network server,
and i set appropriate read rights for the specific group >Region admins<, >Users<, and >Accountants<,
and all computer clients in domain by group >Domain Computers<. On share taxlaw i resctrict the allowed call to computer group > Accountants Computers<.
Then i set on clients this network directories in RunAsAdmin.
Now users of the specific group can run applications from their appropriate folder via RunAsRob with system or administrator account.
Stored Settings in registry:
Here you seee the registry values AllowedPath and LogonFlag, which will be saved by RunAsAdmin and read from RunAsRob for verifying.
You can also edit them by policy or manually.
With group policy you can manage central the allowed applications.
You can download this RunAsRob Group Policy admx und adml files on RunAsRobPolicy.zip
On Screenshot you see an OU Finance, i assign the PolicyRunAsRob and add the allowed directories >> \\appsrv\software\;\\appsrv\updates\;\\appsrv\taxlaw\ << to computers of this OU.
To differentiate which users or groups of this computers may run applications from this directory i use the folder permissions i described above.
Configure a directory for a limited user to run applications with local administrator rights from this folder.
By this way you can share a central folder in a domain for applications, updates, patches... for a limited user which can install the software in this folder themselves
and/or you can also specified a local program path its applications you want to start under administrator rights from a standard user account.
Further Video examples:
In video example 1, i authorize limited users to run applications over RunAsRob from system32 directory with system rights.
In video example 2, i authorize limited users to install applications over RunAsRob from a network share.
In video example 3 i will show you how to configure very specific restrictions by an easy way in an enterprise domain.
I authorize a group of limited users to run applications over RunAsRob with administrator rights from a specified network share on computers in a specific department.
For any suggestions, errors, questions, specific requirements or adjustments please contact:
RunasRob is only free for private use.
For companies and other organisations we deliver a licensed version, registered to the organisation name.
Order RunasRob >>>
Download RunasRob >>>