Forum Discussion
Solved
Allow non admin users access to apps
I am sharing my laptop with my kids. Some of the default apps like word etc work but other applications or games they are blocked by windows with error message "This app has been blocked by your system administrator" They have their own user profiles and all of the suggestions I read suggest giving admin access which I do not want to give them. Even myself following security best practice should not be working under admin account but cannot because of the same reason. I have Windows 11 Pro
How can i enable access to applications without giving admin access. This security best practice needs to have a solution from Microsoft.
- App-Specific Permissions:
- Change App Properties: Right-click the app's executable file (.exe), select Properties, go to the Compatibility tab, and check "Run this program as an administrator". While this does not solve everything by itself, pairing this with the RunAsInvoker method (explained below) can help bypass unnecessary UAC prompts.
- App Execution Policy: Ensure the app is not restricted by a Windows Defender Application Control (WDAC) policy. Adjust policies if necessary.
- Use RunAsInvoker Technique:
- Modify the app to run without elevation by using the RunAsInvoker feature. This can be done with a command-line tool such as PowerShell or Command Prompt:
- set __COMPAT_LAYER=RUNASINVOKER && path\to\application.exe
- This command allows an app to run under the current user context without requiring admin privileges.
- Adjust Group Policy Settings:
- Open the Group Policy Editor (gpedit.msc) and navigate to
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Whitelist Apps for Specific Users:
- You can use AppLocker (available in Windows 11 Pro) to create rules that explicitly allow or block applications based on user groups.
- Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules
- Create a new rule to allow specific apps for the non-admin user group (e.g., your children's user accounts).
- Create a Task Scheduler Entry:
- Use Task Scheduler to create a task that runs the application with elevated privileges but under your own admin credentials, without exposing the password:
- Open Task Scheduler and create a new task.
- Configure it to run with the highest privileges.
- Set a trigger that allows the non-admin user to run the task (e.g., on-demand).
- Create a shortcut to the task and place it in the non-admin user’s desktop or start menu.
- Use Task Scheduler to create a task that runs the application with elevated privileges but under your own admin credentials, without exposing the password:
- Parental Controls and Family Safety:
- Use Microsoft Family Safety to manage app access and screen time. While primarily for web and app usage monitoring, it can help configure user-specific permissions.
Security Best Practice:
- Separate Admin Account: Always keep an admin account separate for administrative tasks and use a standard account for day-to-day activities. This reduces the risk of malware or accidental changes affecting the system.
- User-Specific Privileges: Only grant elevated access to specific applications rather than entire user accounts to minimize security risks.
- App-Specific Permissions:
2 Replies
Thank You. I have not seen this solution from anyone in my search.
I do have family safety, but it seems to work with normally installed apps.
Using AppLocker in GPO and creating new rules for specific paths worked for me.I now need to look at migrating my data to new profile.
- You can use AppLocker (available in Windows 11 Pro) to create rules that explicitly allow or block applications based on user groups.
- Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules
- Create a new rule to allow specific apps for the non-admin user group (e.g., your children's user accounts).
- App-Specific Permissions:
- Change App Properties: Right-click the app's executable file (.exe), select Properties, go to the Compatibility tab, and check "Run this program as an administrator". While this does not solve everything by itself, pairing this with the RunAsInvoker method (explained below) can help bypass unnecessary UAC prompts.
- App Execution Policy: Ensure the app is not restricted by a Windows Defender Application Control (WDAC) policy. Adjust policies if necessary.
- Use RunAsInvoker Technique:
- Modify the app to run without elevation by using the RunAsInvoker feature. This can be done with a command-line tool such as PowerShell or Command Prompt:
- set __COMPAT_LAYER=RUNASINVOKER && path\to\application.exe
- This command allows an app to run under the current user context without requiring admin privileges.
- Adjust Group Policy Settings:
- Open the Group Policy Editor (gpedit.msc) and navigate to
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Whitelist Apps for Specific Users:
- You can use AppLocker (available in Windows 11 Pro) to create rules that explicitly allow or block applications based on user groups.
- Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules
- Create a new rule to allow specific apps for the non-admin user group (e.g., your children's user accounts).
- Create a Task Scheduler Entry:
- Use Task Scheduler to create a task that runs the application with elevated privileges but under your own admin credentials, without exposing the password:
- Open Task Scheduler and create a new task.
- Configure it to run with the highest privileges.
- Set a trigger that allows the non-admin user to run the task (e.g., on-demand).
- Create a shortcut to the task and place it in the non-admin user’s desktop or start menu.
- Use Task Scheduler to create a task that runs the application with elevated privileges but under your own admin credentials, without exposing the password:
- Parental Controls and Family Safety:
- Use Microsoft Family Safety to manage app access and screen time. While primarily for web and app usage monitoring, it can help configure user-specific permissions.
Security Best Practice:
- Separate Admin Account: Always keep an admin account separate for administrative tasks and use a standard account for day-to-day activities. This reduces the risk of malware or accidental changes affecting the system.
- User-Specific Privileges: Only grant elevated access to specific applications rather than entire user accounts to minimize security risks.
- App-Specific Permissions:
