I would except that it's not admin accounts that we are elevating with most of the time.
Specifically, we have one script the enables and disables our VPN network adapter (not the client - the actual adapter) - this one we do use an admin account. I'm sure there is a local security setting to allow non-admins to do this but I'd like to limit it just to this particular adapter. The other one is a REALLY poorly written remote DVR viewing app that needs read/write to c:\ but only the root so we created a special user that only has those permissions. I don't really want the standard user who browses the web to be able to drop stuff at the root of c:\. I just don't get why it's looking for a DC if I explicitly say it's a local account. - Andy O. >-----Original Message----- >From: Ben Scott [mailto:[email protected]] >Sent: Tuesday, May 12, 2009 3:35 PM >To: NT System Admin Issues >Subject: Re: Runas - local account when joined to domain > >On Tue, May 12, 2009 at 1:53 PM, Andy Ognenoff <[email protected]> >wrote: >> I've got a couple applications that we have regular users run (non-admin) >> that require elevated privileges ... > > Have you tried hitting the apps in question with LUA BugLight? If >you can just grant permissions to some filesystem and/or registry >branches, that's a lot better than mucking around with admin accounts. > >-- Ben > >~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
