Computer Education
Tips Blog WinXP Internet Computing Downloads Vista/7 Home

Workaround for software that won't run in restricted accounts

In many situations involving multi-user environments, and especially in teaching , it is desirable to be able to run software in accounts with limited privileges. Unfortunately, some software will run only in accounts with administrative privileges. Here we discuss how to work around this problem using the command line and cacls or VBScript and runas.


When it is desired to put restrictions on on the software that can be used by non-administrative accounts, there are several possibilities. One is that a user account can be prevented from running one or more applications. Another is that a user account can be allowed to run only certain software. These restrictions can be achieved by using the Group Policy Editor (the console gpedit.msc) or by directly editing the Registry. For those who wish the technical details, there is a Microsoft paper on restricting applications that a user can run.

A slightly different problem is encountered when it is desired to have users in a limited account have access to software that will only run in administrator accounts. When they are installed, most programs that have been written since the advent of Windows XP will either give a choice of being available to all users or will default to a setting that is for all users. However, some older programs and some less compliant newer programs will not run in limited accounts. Depending on the program, there are several possible ways to give limited accounts access to this type of software.

Using the command line to change permissions

Some applications can be run in limited accounts by changing the user permissions. (Note that this applies only to NTFS and not to FAT32 formatted systems.) Windows XP comes with a command line program specifically for changing permissions (called ACLs or "access control lists" in Microsoft-speak). To open a command window, enter "cmd" in the Start-Run line. The applicable command is "cacls" and its various switches are shown in a picture of a command line window below. To see this information on your own computer, open a command window and enter "cacls /?" (without the quotes).

 

It is often best to grant the limited user access to the entire folder for the program in question. Otherwise, some programs will not work. If a program is located in the folder "Program Files" as is usual and if its folder is called "newprogram", the command to be entered is

cacls "Program Files\newprogram" /e /t /p users:c

The meaning of the switches can be seen in the figure above. For additional information, consult the Windows XP help function. Even after changing permissions in this way some programs may still not be accessible to a limited account. For example, I have not been able to get PrintShop 15 to work by this procedure. Instead, I had to use another method, the "RunAs" command.

The "RunAs" command

Windows XP comes with a feature that allows for the running of a program by an account other than the current user. The command is "Run as" (or to confuse matters, in some contexts it is one word "Runas"). One way to access "Run as" is through the right-click context menu. Hold down the "Shift" key and right-click on an executable file. The context menu will contain an entry "Run as". When "Run as" is selected the first dialog box shown below appears. In this box the current user will be selected.

 

To change to a different user click the radio button, "The following user:", and the next box will open.

We want to use the Administrator account but, as is shown above, that requires that the password for that account be entered. Since it is normally desirable that limited accounts not know the administrator password, an approach that disguises the password is needed. This can be accomplished by using a script employing the command line version "runas" (now in the form of a single word). The script is placed in the program folder of the particular program of interest and a shortcut to the script is placed on the Desktop of the limited account or other convenient location. The same icon can be applied for this shortcut as would be normally be used for the program being run. A VB script for the specific case of PrintArtist 15 is given below. For other programs substitute the appropriate executable program file. Since many anti-virus programs block VB scripts, you may need to mark this script as safe according to whatever procedure your particular anti-virus program uses. Also, the dummy password will need to be changed to the Administrator password on your system. Include the tilde at the end. Note that this password must be the one for THE administrator account. To use the script, copy and paste the text into Notepad and save with a VBS extension. The script has been used succesfully in a SeniorNet class at the Ewing, NJ Learning Center.

'This script allows limited accounts to use PrintArtist (PA)
'as the Administrator. It must be placed in the same
'folder with the executable program file for PA. A shortcut
'to this script file can then be put on the student Desktop.
'Your antivirus program may need to be set to allow scripts.
'Written by Vic Laurie, May, 2004
'Not responsible for any problems arising from use of the script
'-------------------------------------------------------
Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
oShell.Run "runas /user:administrator ""PrintArt.exe"""
WScript.Sleep 100
'Replace the string yourpassword~ below with
'the password used on your system. Include tilde
oShell.Sendkeys "yourpassword~"
Wscript.Quit

 


 << Home page ©2002-2016 Victor Laurie    Home page >>