Logo Runas
underline
 ROBOTRONIC.DE

 
Run as administrator
point
     Home    
   Contact  
     EULA   
  Runas Spc 
  Runas Rob 
  RunAsAdmin  
  RunAsService  
  as another user  
  details  
  Run Elevated 
  Order  

 Runas Rob EnglishRunas Rob
RunAsAdmin authorize applications or folders, which contents can start with highest privileges by a limited user.
  • Allow limited users to run specific software or contents of whole folders, which need administrator rights.
  • Distribute software or updates, by simply copy the setup.exe into an allowed directory with read rights for a usergroup,
    which can install this provided software themselves.
  • Delegate administrative tasks you authorize in RunAsAdmin and via folder permissions to limitd users or any other special user group.
If you understand the simple principle of RunAsAdmin, it is easy to use this tool effective for various purposes
on a single workstation up to a big domain forest.

RunasAdmin is just a grafical interface to install the service of RunAsRob and set the allowed directories into the registry path of RunAsRob.
If a limited user start an application over a shortcut, created from RunAsAdmin, or drag an drop the application over RunasRob.exe,
the RunAsRob Service check its registry setting, if this is an allowed application.
If it is allowed, the service of RunAsRob start it as system account or as administrator, whichever logon option you set in RunAsAdmin interface.
Default access permissions on microsoft systems avoid that a limite user manipulate registry settings or files in the default program path.
In collaboration with directory permissions, OUs or Group Policies RunAsAdmin can be a versatile tool in a big domain.
.
AdminPath configuration Window



Quick guide RunAsAdmin:

Launch a program as limited user with system rights.
  1. Unpack Runasrob.zip, start RunAsAdmin.exe and press button >> install RunasRob <<.to install the service of RunAsRob
  2. Add application you want to start with system rights over button >> Add application <<
  3. Select  this application on listbox in RunAsAdmin and create a shortcut over >> Create shortcut <<
  4. Use this shortcut for limited user to run the selected program with system rights.
  5. If you need, you can restrict the access for a group of users by settings folder permissions of this directory..
  6. By using a network share, the computer account of this machine must have read rights to this share. In Domain it is the group domain computers.
  7. Video example

Run application under a limited user account as administrator with environment of this limited account.
  1. Start RunasAdmin.exe from RunasRob folder.
  2. Press button >> Install RunasRob<< to install RunasRob Service.
  3. Set the option >> Logon as << to administrator.
  4. Press button >> Add application << and select the program you want to authorize.
  5. Select this application in the listbox and press button >> Create shortcut <<.
  6. Over created shortcut a limited user can now use this shortcut to call selected application 
    as administrator.
  7. Before the application starts, the user will be asked for his credentials
    to run it under his own account and profile as a member of the local administrator group
  8. Video example



By folder permissions read rights, you can authorize the users and computers, which can use the allowed directory you set in RunAsAdmin for RunAsRob.exe

In screenshot below,  i share 3 central folders software, updates, taxlaw on a network server,
and i set appropriate read rights for the specific group >Region admins<, >Users<, and >Accountants<,
and all computer clients in domain by group >Domain Computers<. On share taxlaw i resctrict the allowed call to computer group > Accountants Computers<.
Then i set on clients this network directories in RunAsAdmin.
Now users of the specific group can run applications from their appropriate folder via RunAsRob with system or administrator account.
RunasRobShareAndPermissions



Stored Settings in registry:
Here you seee the registry values AllowedPath and LogonFlag, which will be saved by RunAsAdmin and read from RunAsRob for verifying.
You can also edit them by policy or manually.
Registry RunasRob



With group policy you can manage central the allowed applications.
You can download this RunAsRob Group Policy admx und adml files on RunAsRobPolicy.zip
On Screenshot you see an OU Finance, i assign the PolicyRunAsRob and add the allowed directories >>  \\appsrv\software\;\\appsrv\updates\;\\appsrv\taxlaw\ << to computers of this OU.
To differentiate which users or groups of this computers may run applications from this directory i use the folder permissions i described above.
RunasRobGroupPolicyAllowedPath



Example:
Configure a directory for a limited user to run applications with local administrator rights from this folder.

By this way you can share a central folder in a domain for applications, updates, patches... for a limited user which can install the software in this folder themselves
and/or you can also specified a local program path its applications you want to start under administrator rights from a standard user account.

Description:
  1. Use a local path or share a folder on a server in a domain with read permissions for user and on a network share also for the machine account.
    You can can also create a group of computers and/or users which are authorized to this folder.
    By this way you can set flexible rights for users, computers or groups which may run applications over RunasRob with administrator rights
    Server Share Permission

  2. Install and configure RunasRob on client and set the authorized folders or applications in registry
    by a) RunasAdmin.exe, b) central group policy or c) command line.

    a) RunasAdmin
    Screenshot RunasAdmin

    b) Central group policy
    GroupPolicyAllowedPath

    c) Command line
    install RunasRob with option /install and /allowedpath, followed by the folder or application you want to allow.
    If you want to allow more folders and applications separate it with a semicolon..
    On example below you allow applications in local path taxlaw, the program regedt32.exe and applications in server path share1.
    >> runasrob.exe /install /allowedpath:C:\Program Files (x86)\taxlaw\;C:\windows\system32\regedt32.exe;\\server\share1\;  <<
    Runas Rob Install AllowedPath

    An advanced optional switch are /asservice (by default) or /asadmin.
    /asservice -> The allowed application is running under system account with elevated admin rights.
    /asadmin ->  After the user enter his credentials he will be member of the local administrator group for this application which is running under his own account.
    >> runasrob.exe /install /allowedpath:C:\Program Files (x86)\taxlaw\;C:\windows\system32\regedt32.exe;\\server\share1\; /asadmin <<
    allowed folder with option asadmin

  3. Configuration is finished. Now you can see on registry path of RunasRob the Key allowedPath.
    You can  edit this key with Runasadmin, manually or central policies.
    On 64 Bit machine >> HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RunasRob
    On 32 Bit machine >> HKEY_LOCAL_MACHINE\SOFTWARE\RunasRob
    RunasRob Registry Screenshot of Allowed Path

  4. Now a user can call applications from this folders with local administrator rights
    by drag and drop the allowed application over RunasRob.exe
    or you make a shortcut or batch file like the following commands..
    >> runasrob.exe \\server\share1\yourProgram.exe  <<
    >> runasrob.exe c:\windows\system32\regedt32.exe <<
    >> runasrob.exe c:\Program Files (x86)\taxlaw\update.exe <<
    Call an Application from an allowed path


Further Video examples:

In video example 1, i authorize limited users to run applications over RunAsRob from system32 directory with system rights.
In video example 2, i authorize limited users to install applications over RunAsRob from a network share.
In video example 3 i will show you how to configure very specific restrictions by an easy way in an enterprise domain.
I authorize a group of limited users to run applications over RunAsRob with administrator rights from a specified network share on computers in a specific department.



Contact:


For any suggestions, errors, questions, specific requirements or adjustments please contact:
runas@robotronic.de



Licence:


RunasRob is only free for private use.
For companies and other organisations we deliver a licensed version, registered to the organisation name.
Order RunasRob >>>
Download RunasRob >>>