Windows user accounts Admin or SUA - all or nothing? more fine grained control?

I want to create a restricted Admin account where I can assign certain privileges to it. Is that possible on a simple Windows 7 Ultimate Desktop?
The User Accounts GUI gives me only the choice between Admin and Standard User. That means I need to fully trust anyone who does some minor administration tasks with full superuser privileges.

I know that MS uses the least privilege principle with services: instead of SYSTEM which is unrestricted some services run under LOCAL SERVICE or NETWORK SERVICE that only got the privileges they need. Where is that option for "real" user accounts?

Basically I'm looking for the Windows equivalent to POSIX capabilities, sudo and/or one of the RBAC/MAC systems.

All I can find is Active Directory and AGDLP. But that looks awfully complicated and overkill and doesn't even seem to be doing what I want.

 

Have you examined all of the groups that are included with Ultimate? Perhaps you can assign this user to one of those for more granularity?

I haven't tried it in w7, but in XP I used the security template snap-in to do things that you are suggesting.

Sul.

 

Thanks for the reply, sadly those preconfigured groups are way too coarse grained.

I'd like the ability to allow an otherwise standard user to execute certain programs, commands or bat files that throw up an UAC dialog requiring an Admin passwd -without handing them out that password.

 

Hmm. I will think on that a bit. The program(s) are statically known? or dynamic?

Sul.

 

One way that comes to mind is having a small utility that they drag/drop programs onto. This utility basically performs a RunAs, and has the password encrypted within it or via encrypted .ini file or something.

I am pretty certain it would work, haven't tried it of course. The trick part would be that it would give them carte blanche access to anything dropped to it, unless you were to put in the utility code that predefined what processes were allowed to start.

Anything is possible, although sometimes they are not the solutions that seem best.

Sul.

Edit: upon further thought, there might be ways to use the registry to house a list of approved processes that the utility could spawn. All you need to do modify that particular registry key so that only your user account has write access, then no matter if the user started a program with admin rights or not, as long as it was not your admin account, there would be no write/modify rights. All of this could be done easily for a custom registry key without having to muck with registry rights/inheritance much at all.

 

Static.

Many thanks for sharing your ideas. Sadly what you are describing is above my windows knowledge and I wouldn't know where to start.

 

I hope am I not misunderstanding what you're talking about, but wouldn't SuRun fit this description?

At least, it is to my understanding that you can add what apps would be started with administrator privileges, and automatically elevate it, without having to prompt for the password; while everything else wouldn't be allowed, unless you wish it so.

 

SuRun is probably an option, I have only tried it once on win7, so don't know exactly.

Katio, if you want to try SuRun, do so. If you don't, or don't like SuRun, I already have some code that almost does what I described. It might be trivial to convert it for a use such as you speak of. If you can wait around for your answer, perhaps I will create a new little tool for such purposes. No promises though on when that might be, I seem to always have much to do. But, it would be a good exercise for me, so I am interested.

Sul.

 

You can do that with SuRun. When you configure it, you can select that users can only run pre-defined apps using SuRun. You can then select don't require a password and also not allow them to change any SuRun settings, etc. If you install it and look through the settings, it's pretty much self-explanatory.

 

How to avoid typing UAC (User Account Control) credentials for selected programs

 

I'll have to do some further testing on which option I'll choose but that's something to work with.
Thanks everyone!