You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

14: How do I elevate MMC snap ins without granting administrative rights?

A standard user may not be able to run an MMC console without elevated rights. For instance, a standard user does not have the ability to start, stop or change the configuration within any service. This article will step through the process to create a policy to allow this and other items similar to this.

  1. Create a new GPO or edit an existing one
  2. Expand the PolicyPak node (user or computer policies may be used but general recommendations are to us users where possible) and select "Least Privilege Manager"
  3. Create a new "New Executable Policy"

  4. Select "Use combo rule (advanced)" and click NEXT

  5. Select "Apply command-line arguments", leaving everything else as-is and click NEXT

  6. Under Path Condition, click Add -> Add file ...

  7. In the Path field, type in "*\mmc.exe" (no "") and click OK

  8. Click on Command-line Arguments, select "Strict equality", under Arguments type in the exact path to services.msc (*C:\Windows\system32\services.msc*) and click NEXT

  9. Ensure "Run with elevated privileges" is selected and click NEXT

  10. Name it according to your conventions (e.g. "Elevate Services.msc") and click FINISH

Note: Users will not acquire this new GPO until Group Policy is refreshed on the user's computer either through automatic or manual means.

  • 872
  • 04-Feb-2021