How to Allow Normal Users Temporary Access to Local Administrator Tasks

ID: Q231270


The information in this article applies to:
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server


SUMMARY

This article describes how to let normal users perform a task or run a program on their computers that requires administrative privileges without changing the users' current security settings.


MORE INFORMATION

You can use the Task Scheduler tool that runs on every Windows 2000-based computer to schedule certain Microsoft Management Console (MMC) tools or other programs to run on a user's computer in the context of the SYSTEM account. This allows a normal user to manually perform those tasks without allowing the user to perform any other unauthorized administrative task.

The following example demonstrates how you can allow a normal user who does not have administrator privileges to run the Disk Management console.

  1. From another networked computer in the domain, log on as a user who has administrator privileges.


  2. Type the following command at a command prompt
    at \\machine_name 1:00pm /interactive %systemroot%\system32\diskmgmt.msc
    where \\machine_name is the name of the user's computer.


This example starts the Disk Management console on the user's computer at 1:00 P.M. so the locally logged on user can manage or perform maintenance on the computer's disks. You can adjust the command to fit your needs.

Because Task Scheduler, by default, is run using the local SYSTEM account, certain tasks that require domain credentials cannot be performed. To test which tasks can and cannot be performed using this method, use the following procedure on a test computer to schedule a command prompt:
  1. Log on to a Windows 2000 Professional-based computer as a domain administrator.


  2. Start a command prompt by clicking Start, clicking Run, typing cmd.exe, and then clicking OK.


  3. Run the following command:
    at 1:00pm /interactive %systemroot%\system32\cmd.exe


This starts another command prompt using the SYSTEM account and allows you to test which commands or tasks will run and which ones will not because they require domain or higher privileges.

For example, running the Dsa.msc (Active Directory) console from the command prompt does not work because you do not have domain credentials, but the Dfrg.msc (Disk Defragmenter) console does run because it requires only local credentials. Using this method, you could schedule Setup for a program on a floppy disk or CD-ROM that would normally require administrative privileges to install, without visiting the computer locally.

CAUTION: Be careful not to schedule anything that can be terminated by the user at the computer that leaves a working command prompt. If the program you need to run does not require any user input, leave the /interactive switch off so that the program runs in silent mode and is not accessible to the user. Microsoft recommends thorough testing before using this method to ensure you cover any security risks.

Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.


Send feedback to MSDN.Look here for MSDN Online resources.