RunAsAdmin authorize applications or folders, which contents can start with highest privileges by a limited user.
Allow limited users to run specific software or contents of whole folders, which need administrator rights.
Distribute software or updates, by simply copy the setup.exe into an allowed directory with read rights for a usergroup,
which can install this provided software themselves.
Delegate administrative tasks you authorize in RunAsAdmin and via folder permissions to limitd users or any other special user group.
If you understand the simple principle of RunAsAdmin,
it is easy to use this tool effective for various purposes
on a single workstation up to a big domain forest.
RunAsAdmin.exe is a grafical interface to install the service of RunAsRob and set the allowed directories into the registry path of RunAsRob.
If a limited user start an application by a shortcut, created from RunAsAdmin, or drag an drop the application over RunasRob.exe,
the service of RunAsRob compare its registry setting, if this is an allowed application.
If it is allowed, the service of RunAsRob start it as system account or as administrator, whichever logon option you set in the RunAsAdmin interface.
Default access permissions on microsoft systems avoid that a limited user manipulate registry settings or files in the default program path.
In collaboration with directory permissions, OUs or Group Policies RunAsAdmin can be a versatile tool in a big domain.
Quick guide RunAsAdmin:
Launch a program as limited user with system rights.
Unpack Runasrob.zip, start RunAsAdmin.exe and press button >> install RunasRob << to install the service of RunAsRob.
Add application you want to start with system rights by button >> Add application <<.
Select this application on listbox in RunAsAdmin and create a shortcut by >> Create shortcut <<.
Use this shortcut for limited user to run the selected program with system rights.
If you need, you can restrict the access for a group of users by settings folder permissions of this directory.
By using a network share, the computer account of this machine must have read rights to this share. In Domain it is the group domain computers.
By read rights on folder permissions you can authorize the users and computers,
which can use the allowed directory you set in RunAsAdmin
In screenshot below, i share 3 central folders software,
updates, taxlaw on a network server,
and i set appropriate read rights for the specific group >Region
admins<, >Users<, and
and all computer clients in domain by group >Domain
On share taxlaw i resctrict the allowed call to computer group >
Then i set on clients this network directories in RunAsAdmin.
Now users of
the specific group can run applications from
their appropriate folder via RunAsRob with system or
Stored Settings in registry.
Here you seee the registry values AllowedPath and LogonFlag, which will be saved by RunAsAdmin and read from RunAsRob for verifying.
You can also edit them by policy or manually.
With group policy you can manage central the allowed applications.
You can download this RunAsRob Group Policy admx und adml files on RunAsRobPolicy.zip
On Screenshot you see an OU Finance, i assign the PolicyRunAsRob and add the allowed directories >> \\appsrv\software\;\\appsrv\updates\;\\appsrv\taxlaw\ << to computers of this OU.
To differentiate which users or groups of this computers may run applications from this directory i use the folder permissions i described above.
Configure a directory for a limited user to run applications with local administrator rights from this folder.
By this way you can share a central folder in a domain for applications, updates, patches... for a limited user,
which can install the software in this folder themselves
and/or you can also specified a local program path its applications you want to start under administrator rights from a standard user account.
Use a local path or share a folder on a server in a domain with read permissions for user and on a network share also for the machine account.
You can can also create a group of computers and/or users which are authorized to this folder.
By this way you can set flexible rights for users, computers or groups which may run applications over RunasRob with administrator rights
Install and configure RunasRob on client and set the authorized folders or applications in registry
by a) RunasAdmin.exe, b) central group policy or c) command line.
b) Central group policy
c) Command line
install RunasRob with option/install and /allowedpath, followed by the folder or application you want to allow.
If you want to allow more folders and applications separate it with a semicolon..
On example below you allow applications in local path taxlaw, the program regedt32.exe and applications in server path share1.
>> runasrob.exe /install /allowedpath:C:\Program Files (x86)\taxlaw\;C:\windows\system32\regedt32.exe;\\server\share1\; <<
An advanced optional switch are /asservice (by default) or /asadmin.
/asservice -> The allowed application is running under system account with elevated admin rights.
/asadmin -> After the user enter his credentials he will be a member of the local administrator group for this application which is running under his own account.
>> runasrob.exe /install /allowedpath:C:\Program Files (x86)\taxlaw\;C:\windows\system32\regedt32.exe;\\server\share1\;/asadmin <<
Configuration is finished. Now you can see on registry path of RunasRob the Key allowedPath.
You can edit this key with Runasadmin, manually or central policies.
On 64 Bit machine >> HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RunasRob
On 32 Bit machine >> HKEY_LOCAL_MACHINE\SOFTWARE\RunasRob
Now a user can call applications from this folders with local administrator rights
by drag and drop the allowed application over RunasRob.exe
or you make a shortcut or batch file like the following commands..
>> runasrob.exe \\server\share1\yourProgram.exe <<
>> runasrob.exe c:\windows\system32\regedt32.exe <<
>> runasrob.exe c:\Program Files (x86)\taxlaw\update.exe <<
Further Video examples:
In video example 1, i authorize limited users to run applications over RunAsRob from system32 directory with system rights. In video example 2, i authorize limited users to install applications over RunAsRob from a network share. In video example 3 i will show you how to configure very specific restrictions by an easy way in an enterprise domain.
I authorize a group of limited users to run applications over RunAsRob with administrator rights from a specified network share on computers in a specific department.
For any suggestions, errors, questions, specific requirements or adjustments please contact: email@example.com