A standard user may not be able to run an MMC console without elevated rights. For instance, a standard user does not have the ability to start, stop or change the configuration within any service. This article will step through the process to create a policy to allow this and other items similar to this.
Create a new "New Executable Policy"
Select "Use combo rule (advanced)" and click NEXT
Select "Apply command-line arguments", leaving everything else as-is and click NEXT
Under Path Condition, click Add -> Add file ...
In the Path field, type in "*\mmc.exe" (no "") and click OK
Click on Command-line Arguments, select "Strict equality", under Arguments type in the exact path to
services.msc ("C:\Windows\system32\services.msc") and click NEXT
Ensure "Run with elevated privileges" is selected and click NEXT
Note: Users will not acquire this new GPO until Group Policy is refreshed on the user's computer either through automatic or manual means.
To test this out, you can use the RUN command like this… and be sure to type in the EXACT command you’ve specified in step 8. Only then will elevation occur.
Additionally, you can test with a command prompt like what’s seen here. Again, the command has to match exactly.
Note if you attempt other avenues, like from the Start menu or alternate command lines, these will not work. An example like this… will not work because it is NOT the exact same command line.
In order to make this work, you need to specify a second policy with alternate approved command lines. For instance, you could do this which removes the requirement for c:\windows\system32\services.msc
The result would be that the shorter command line: mmc services.msc is accepted and runs elevated.
However, at no time would the shortest expression, of only “services.msc” work. The required MMC must appear before the command line.
