Skip to main content

Windows : Elevate rights for a regular user and a specific app

  • The fact : We got an application that requires, for proper fonctionnality, administrator rights
  • The problem : we do not want to give administrator right to everyone that logs in.
  • Hypothese : Can we give temporary administrator rights (with a timed session?) for a spefic app only? If we use MakeMeAdmin : https://github.com/pseymour/MakeMeAdmin/wiki and Group policies, should work... ish.

MakeMeAdmin

  • First, let's download the installer (I'm doing this with an admin account) : Gitdownload

  • Then, we need to figure out how long the user will need to elevated rights. In this scenario, it will be of a maximum of 4 hours.

    • As the wiki says, we can change the Admin Rights Timeout... so let's put it for 4 hours = 240 (minutes) AdminTimeout

  • Need to create a registry key with all the values stated in the wiki : RegKey

    HKLM\Software\Sinclair Community College\Make Me Admin

    ** Note : I changed certain default values to represent what I want or would like. But for a test : I changed the value of Admin Rights Timeout to 5 minutes, not showned on the image**

    • Also, need to specify which group will be able to use the app : In this format DOMAIN\Name Listuser

Next, need to block the admin rights to other important apps. For this, I'll try Group Policy.

(Could also be done with a domain GPO)

    gpedit.msc

Then

    User Configuration > Administrative Templates > System

Enable :

  • Prevent access to the command prompt
  • Don't run specified Windows applications : cmd.exe, powershell.exe, mmc.exe, pwsh.exe, msiexec.exe, taskmgr.exe. Add = powershell_ise.exe.

** Note: cmd.exe and mmc.exe will block acces to gpedit.msc afterwards so... beware. If it happens, this is where they are located in registry.msc :**

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

DisallowRun

Reboot and login with a regular user.

Problem : It seems that although it blocks pretty much everything, Terminal from the right click start menu is not blocked

Disable right click on start button

After a lot of reading up on this subject, I would be easier to create a GPO that would hide these options

  • These options are divided by groups (1,2,3)

    groups

  • They are located here :

       C:\users\default\AppData\Local\Microsoft\Windows\WinX\

  • So I created a new GPO and in the edit, I went to User config ­­­­­­- Preferences - Folders and added this for the group I would like to hide (Group 3)

    GPO

Note : For it to work, you need to create 2 updates. One for the default and one for the users

    C:\users\default\AppData\Local\Microsoft\Windows\WinX\Group3
    C:\users\%username%\AppData\Local\Microsoft\Windows\WinX\Group3

I little gpupdate /force and voilà, no more options from the third group :

Rightclick