Nifty solution to some of the problems of least privilege

One of my fellow Microsofties has come up with a neat solution to some of the hassles of running your workstation using a non-admin account. My advice for getting around things you can’t do as a non-admin has long been to simply run programs from a command prompt that you’ve started with RunAs, using the credentials for an account with admin privileges. The problem is that some programs don’t play well in this scenario, particularly install programs that run based on specific settings for the user installing the program. When you run programs like this, they (and/or their settings) end up associated with the admin account you’re using, rather than your less-privileged account.


Aaron Margosis has come up with a way to fix this that’s quite easy to use. His solution is to create a batch file that adds your less-privileged account to the Administrators group, using the credentials of an existing admin account, then spawns a new command prompt using the account that you just added to the administrators group. The batch file then removes your less-privileged account from the Administrators group.


By doing it this way, Aaron’s solved two of the tricky parts of elevated privilege…keeping the scope small (only the command window has the elevated privileges, until/unless you spawn other programs from it), and making sure that profiles of apps that you install are associated with YOUR account, rather than the admin account you’re using). I’ve only played with this briefly, but it looks to be quite a nice solution to a vexing problem.


The download available from Aaron’s blog also includes a batch file for setting yourself up as a Power User, in case you’d like to further limit the privileges you’re granting yourself. There are still some caveats with Aaron’s approach, so make sure you read his entire post and understand what the batch files are doing before you use them, but with that caveat, I think this is a great addition to our security toolbox!



  • I agree, Aaron has been providing some great articles on his blog about overcoming obstacles to running and developing as a non-admin. Well worth reading all he has to say.

  • Has anyone ever heard of the least privilege policy being applied to DBAs and System Administrators? I just started a job with a new company and I'm told that's the policy around here. HELP!!!!!!!!!

Comments have been disabled for this content.