I want the account to be able to use one app that requires administrative privileges. I have contacted the support team of the app to find out why it needs these privileges, but I didn’t receive any helpful information.
The app is for viewing surveillance footage, but it requires admin privileges to open. I don’t want to make every employee an administrator just for this one use case. It might be better to switch to a FOSS app that doesn’t require administrative privileges by default.
The cameras we currently use are made by the vendor of the app, so maybe we’re locked in somehow? The NVR is also made by them, so it might be possible, but I don’t know for sure. I need to look into it more.
You need to put the domain user in the local administrators group. Easiest way to do this is through the Computer Management MMC snap-in.
It’ll give full admin rights over the local computer though - You can’t just give admin rights to one program AFAIK.
I’m concerned because there are a lot of employees that are using this one program and I’m worried about them accidentally installing something down the line. Thanks for your response btw.
The above is correct for what the vendor says their application needs.
But I guarantee that the account that runs the application does not require local admin permission. That’s just sloppy fucking code; someone realized that the accounts that run the app would need extra permissions, and just went “local admin it is.”
This is unconscionable from a vendor that provides software for viewing security cameras.
Someone else said, “Escalate beyond tier 1 support,” and this is true. You’re going to have to be really persistent, maybe even a bit of an “asshole,” but it will be justified, and nothing is more satisfying than that.
Yep.
Windows security model is predicated upon the user. So apps get the security context of the user that launched it.