Allow given application to run as administrator, without prompting user for credentials

At my workplace, Windows 7 machines are being rolled out, and users are not being granted administrative privileges. My department creates applications that run locally on the user's machine, and those are working normally (as far as we've seen). One application, on the other hand, does not.

It's the application that updates the others (our 'Update Agent'). So, when the user runs the Update Agent, they're immediately stopped with an error, since that application was not able to write to C:\Program Files\our app\

We need a way for these Windows 7 machines to allow this application to be run as administrator or with admin rights when the user executes them. Since these users will never be given the administrator password, 'Run As Administrator' is not an option. The user will need to click on shortcut, and it run with enough permissions to modify that folder, write to the registry, etc.

What I'm hoping for is some kind of GPO or policy or something that can be configured on the domain level that will allow this to occur; or, something configured on the client machines once. Our applications are .net Framework 1.1 and 2.0, and signed with a key.

Any insight would be appreciated.


To accomplish what you want, the easiest thing I can think of is to create a scheduled task with the administrative credentials that will be run at a set time or interval.

You can manipulate scheduled tasks via the command line (schtasks.exe) or login script.

However, I have to warn you that whenever you intentionally make holes in your own security, you are asking for trouble later on down the line.

It will only take one smart ass in order to find the name of the .exe, and change it or put whatever he/she wants there instead - e.g. they can copy cmd.exe to the location and rename, then suddenly they have a command prompt with administrator privileges! (ok, you can use NTFS permissions and stuff, they could take the hard drive out - you can use Bitlocker/encryption...) the point I am trying to make is, it is a hole that you are intentionally introducing.

Another solution would be to re-architect the program. I would suggest as some sort of system service that does the work, and simply have a client that invokes the service as and when it is needed. This should work well.


What we ended up doing was creating a domain account that was going to act as a local administrator on each machine, which was pushed out by a GPO. We're then able to start our update application using these credentials.


Find out what registry setting and file settings that you need access to with procmon, filemon and regmon and use the default windows tools called cacls and regini to change those so you have proper access.


Look into RunAsGui. It allows you to store an encrypted credentials of an admin for a given program you want to allow your users to use. It's free.