04: Enable Standard Users to get into Control Panel Applets

Standard Users cannot get into most Control Panel applets. That could be a problem if they need to make some settings changes themselves. Check out this video to see how PolicyPak Least Privilege Manager can help you fix this common problem.

PolicyPak Least Privilege Manager: Enable Standard Users to get into Control Panel Applets

Hi. This is Jeremy Moskowitz, and in this video I’m going to show you how you can use PolicyPak Least Privilege Manager to let standard users get into stuff in the Control Panel that they normally wouldn’t be able to.

By way of example, here I am just a standard guy. Let’s say I want to right click and go to “System” and go click on “Device Manager.” Well, this is an interesting case. As a standard user, it even says, “You are logged on as a standard user. You can view device settings in Device Manager, but you must be logged on as an administrator to make changes.”

That’s kind of a drag because if a USB port quits or they want to turn off their “CD-ROM” or something like that, long story short, they can’t do anything in here. That’s thing number one. Thing number two might be let’s say they just want to go to the basic disk defragmenter here, “Defragment and Optimize Drives.” The standard user can’t do this stuff. They can’t click on “Change Settings.” They get UAC prompted. Not good. None of that’s good.

What we’re going to do now is simply use “PolicyPak Least Privilege Manager,” right click, “Add/New Control Panel Applet Policy.” I’m going to make two rules. The first rule I want is “Device Manager.” That was easy – one click. Set up “Device Manager.” We want to “Run with elevated privileges.” We’ll go ahead and say “Let DM run,” and we’ll go ahead and click enter.

We’ll go ahead and do another one, “Add/New Control Panel Applet Policy.” This one is a little bit harder to find because it’s not called defragment. It’s called “Optimize Drives.” There you go. We’re going to “Optimize Drives,” click “Next,” “Run with elevated privileges.” We’ll go ahead and call this “Let Defrag run” and click “Finish.” That’s it, all there is to it.

We’ll go ahead and go over to our endpoint here. We’ll run GP Update. We’ll go ahead and wait for this to finish. Again, remember, Group Policy runs in the background all the time and also when the guy logs on or changes computers. If you are not a Group Policy shop and you want to use something like Altiris or SCCM or even PolicyPak Cloud, all the magic is done using PolicyPak. There are various ways of getting the magic out there.

Let’s go ahead and test it out. We’ll right click. We’ll go back to “System” here, and let’s check out “Device Manager.” What happens this time? It sails right through. If we want to “Disable” our “CD-ROM” now, we can do this because now just “Device Manager” is running with elevated privileges. But other stuff like “System protection,” we didn’t say that was good so it’s not permitted. We’re not running with the scissors all the time with admin rights.

The other example that I had was the disk defragmenter, so let’s go ahead and check that out: “Defragment and Optimize Drives.” Here we go. We can “Change settings” first and do all that other stuff. You can see that these other prompts, “Optimization not available,” so these guys are not lit up. But the point is before “Change settings” was behind a UAC prompt, and now at this point I can do what I want to do here.

It’s as simple as that. But again, you’re not running with the scissors all the time. You’re elevating just the things you need, just the times you need them. That is using PolicyPak Least Privilege Manager with Control Panel applets, enabling standard users to get to portions of the operating system where they would not normally be able to.

If this is interesting for you and you want to try it out, just give us a buzz or come to our webinar and we’ll hand over the bits and you can try it yourself. Thanks.

  • 181
  • 02-Jul-2019