Need to run a batch file elevated or merge registry keys or run any other command line utility as a STANDARD USER? Learn how to do it using PolicyPak Least Privilege Manager.
PPLPM: Enable Standard Users to run command line commands
Hi. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how you can enable a standard user to do things like turn off a service or import a specific registry set or any number of things that might require command-line arguments.
By way of example, if a standard user went to “sc,” which is the services command, “sc stop wsearch,” which would stop the Windows search service, they are not allowed to do that thing because they’re just a standard user.
But you can use PolicyPak Least Privilege Manager and add what’s called a “New Executable Policy.” We’re going to “Use combo rule” because we have to do two things. The first thing is we have to say what application is allowed to run on the command line, and then we have to give it the “Command-line arguments,” what are we saying is allowed and not allowed.
What we’re saying is allowed for the “Path Condition,” that’s the name of the thing we want, we’ll go ahead and “Add file” here. SC is on every Windows, so that’s “c:\windows\System32\sc.exe.” That’s the services executable.
Then the “Next” thing is the “Command-line arguments.” For the command-line arguments, what you can put in depends on the kind of thing you’re trying to do. If your command line has slashes like “/switch1” and “/switch2,” then you can use this as an idea: “Ignore arguments order,” which lets you put /switch2 and then /switch1. That’s okay. “Any argument from the list,” you could do the command in just /switch2 or just /switch1.
But actually this command is a little special. It has no slashes. Because this command has spaces and no slashes, we have to use what’s called “Strict equality” mode. That means it has to be in exactly this order. So that’s SC as the command, and then the next thing we’re going to do is say “stop wsearch.” There we go. We’re saying “Strict equality,” “stop wsearch.” It has to be exactly in this order, or we’re not going to let it run.
We will “Run with elevated privileges” for just that thing. We’ll go ahead and do that. We’ll say, “Just let user stop Windows Search service (but not others).” We’ll click “Finish” here, and that’s it. Let’s go back over to our endpoint here. Let’s go ahead and do “sc query” to take a look at all the services we have. We have a zillion of them.
First of all, we have to run GP Update. GP Update will get the signal from Group Policy of the new superpowers that this standard user could do where ten seconds ago they couldn’t. We’ll go ahead and let that finish. Then we’ll run the command with strict equality, which means that it must be in that exact order. That was “sc stop wsearch.” You can see that it is “PENDING.”
Let’s try to do this same thing for something that we didn’t grant the user to do. How about this guy. It doesn’t really matter. We’ll just go ahead and copy that, and then we’ll go back here and paste that. There you go. Users are not able to stop services that you didn’t say they were enabled to. It’s just as simple as that.
If you’re looking to get started with PolicyPak Least Privilege Manager, give us a buzz or sign up for a webinar and we’ll hand over the bits and you can start real soon.
Thanks so much.