Introduction
It’s Monday morning, 8:30 AM. Your help desk receives a flood of tickets: “I can’t install the printer driver,” “The software won’t launch,” “I need admin access to this tool.” The same story repeats daily. Your options seem limited:
Option 1: Give users local admin rights (security nightmare)
Option 2: Have them call the help desk every time (productivity killer)
Option 3: Set them up with complex workarounds (frustration central)
There’s a fourth option—and it’s the one most security-conscious organizations are now implementing. You can let standard users run specific applications with administrator privileges without giving them full admin rights. This approach eliminates help desk chaos, reduces security risks, and keeps users productive.
This guide shows you exactly how to do it: the native Windows methods, their limitations, and why third-party solutions like Advanced RunAs are transforming how IT teams handle this challenge.
The Core Problem: The Admin Rights Dilemma
Every IT administrator faces an impossible balance:
On one hand: Users genuinely need to run certain applications that require administrator privileges:
- Installing software or drivers
- Configuring network settings
- Managing system services
- Running diagnostic tools
- Accessing hardware-specific software
On the other hand: Giving users local admin rights opens the floodgates to catastrophic security problems.
Why Giving Users Full Admin Rights Is Dangerous
The statistics are sobering:
- 60% of data breaches involve compromised admin accounts
- 40% of system failures are caused by unauthorized changes made by admin users
- One malware download by an admin user can compromise the entire organization
- Help desk staff with admin rights are favorite targets for social engineering attacks
Real-world scenario that plays out thousands of times per year:
Monday 10 AM:
Help desk technician receives an email with attachment "Windows_Update_Urgent.exe"
Attachment looks legitimate
Technician clicks it
Monday 10:15 AM:
Ransomware spreads across network
All files encrypted
Business comes to halt
Tuesday morning:
Company discovers this technician had local admin rights
Investigation shows entire incident was preventable
Cost: $500K+ in downtime, data recovery, and investigation
This isn’t theoretical—it happens constantly.
The Cost of Help Desk Chaos
The alternative—requiring help desk approval for every admin task—creates its own problems:
Productivity Impact:
- User waits for help desk callback
- Help desk technician uses their own time to install software
- Simple 5-minute task takes 45 minutes
- Multiply this across 100 users = massive productivity loss
Help Desk Burnout:
- Tickets pile up for repetitive tasks that users can’t do themselves
- Technicians spend 30% of their time on “install this app” requests
- Turnover increases (help desk staff are exhausted)
- Support costs rise
Real cost calculation for 150-employee company:
Without self-service admin elevation:
- 10 help desk tickets per day for software/driver installation
- 30 minutes per ticket (including callback, remote connection)
- Cost: 5 hours technician time per day
- At $35/hour loaded cost: $175 per day
- Per year: $175 × 250 business days = $43,750
With Advanced RunAs:
- Users run approved apps themselves (2 minutes vs. 30)
- Help desk handles maybe 2-3 exceptions per day
- Cost: 1-2 hours technician time per day
- Savings: $35,000+ per year for medium-size company
The Perfect Solution: Controlled Privilege Elevation
The answer is to let users run specific, pre-approved applications with administrator rights while keeping them locked out of everything else. They get the permissions they need. You maintain security. Everyone wins.
Understanding the Windows Native Approach
Before exploring third-party solutions, let’s understand what Windows offers natively—and why it falls short for most organizations.
Method 1: The RUNAS Command
The runas command is Windows’ native tool for running programs with different credentials. It’s been in Windows since Windows 2000.
Basic syntax:
runas /user:admin "C:\Program Files\Application\app.exe"
How it works:
- User runs the runas command
- Windows prompts for the admin password
- If password is correct, the app launches with admin rights
- User’s standard account isn’t affected
Limitations:
- ❌ Requires users to know the admin password (massive security problem)
- ❌ Password must be entered every single time
- ❌ Users often forget the syntax, making it unusable for non-technical staff
- ❌ No centralized control (if password changes, all users are disrupted)
- ❌ Audit trail is minimal (hard to track who ran what)
Example of the security problem:
If you tell users: “Use runas with the admin password when you need to install something,” what happens?
- Users write the password on sticky notes
- Passwords get shared in email (“Hey Bob, here’s the admin password”)
- Former employees still know the password
- Help desk receives calls: “I forgot the admin password”
- You’re forced to reset it, disrupting everyone
- Password complexity decreases (users need something memorable)
This method is fundamentally broken for organizations.
Method 2: Using /savecred (Worse Than Broken)
Windows’ runas command includes a /savecred parameter that saves credentials in the Credential Manager, so users don’t have to type the password every time:
runas /user:admin /savecred "C:\Program Files\Application\app.exe"
This sounds convenient—and it’s a catastrophic security mistake.
Why /savecred is dangerous:
Once credentials are saved, any user at that computer can use them. It doesn’t matter if it’s:
- A contractor who visits the office
- A temp worker
- The intern
- An attacker with physical access
They can all run the saved command with admin rights.
Microsoft explicitly warns against this:
“/savecred: Saves the password so it has to be entered only the first time the RunAs command is used. This parameter creates a security risk.“
Real vulnerability:
Office scenario:
You set up /savecred for a technician at a help desk computer
Technician goes to lunch
Attacker sits at that computer (or connects remotely)
Runs the saved runas command
Gets admin access
Installs backdoor malware
Leaves no trace
This is not theoretical. It’s a common attack vector.
Method 3: Task Scheduler
Another native Windows approach uses Task Scheduler to run applications with elevated privileges:
How it works:
- Create a scheduled task
- Set the task to run with admin privileges
- User double-clicks the task to launch the application
Limitations:
- ❌ Complex setup for non-technical admins
- ❌ Limited flexibility (one task = one application with one set of parameters)
- ❌ No centralized management across computers
- ❌ Difficult to audit who’s running what
- ❌ Scaling to hundreds of users is nightmare territory
When you need to deploy this to 200 computers, Task Scheduler becomes impractical.
Method 4: Group Policy (Limited Scope)
Active Directory Group Policy can be used to create Run As shortcuts, but only in specific scenarios:
Limitations:
- ❌ Requires Active Directory domain
- ❌ Only works for applications that support being run through GPO
- ❌ Deployment is complex and error-prone
- ❌ Troubleshooting failed deployments is a nightmare
- ❌ No built-in audit trail for access
Real-world example of why this fails:
You spend 3 days setting up GPO for a vendor application. After deployment, one department can’t access it because their machines aren’t in the right OU. Troubleshooting takes hours. End result: you’ve spent 10 hours solving one application elevation problem.
Method 5: Disable UAC (The Wrong Answer)
Some organizations just disable User Account Control (UAC) entirely. This is an absolutely terrible idea:
What it does:
- Removes ALL permission prompts for admin tasks
- Users can install anything, change any setting, access any file
Why it’s dangerous:
- Malware installs silently with no prompts
- Ransomware spreads without detection
- Compliance violations (HIPAA, PCI-DSS, SOC 2 all require UAC)
- One click on a malicious link = entire network compromised
This isn’t a solution—it’s capitulation to security risk.
The Problem With Native Windows Methods
After reviewing all native Windows approaches, the pattern is clear:
| Method | Security | Usability | Scalability | Auditability |
|---|---|---|---|---|
| Runas command | Poor | Poor | Poor | Poor |
| /savecred | Terrible | Good | Poor | Poor |
| Task Scheduler | Fair | Fair | Poor | Fair |
| Group Policy | Fair | Fair | Fair | Poor |
| Disable UAC | Terrible | Excellent | Excellent | Terrible |
Native Windows methods force you to choose between security and usability. You can’t have both.
This is why IT professionals—from small companies to Fortune 500 enterprises—have turned to third-party privilege elevation solutions.
Third-Party Solutions: Why They’re Different
Specialized privilege elevation tools like Advanced RunAs solve the native Windows method problems by:
- Centralized Control: Manage all elevated applications from one console
- Granular Permissions: Allow specific users/groups to run specific apps
- No Shared Passwords: Users don’t know admin passwords
- Comprehensive Auditing: Complete logs of who ran what, when, and why
- Easy Deployment: Works across domain and workgroup computers
- Flexibility: Handle complex permission scenarios native Windows can’t
Comparison: Native Windows vs. Third-Party Tools
Scenario: Let 150 help desk technicians install printer drivers without giving them full admin rights
Using Native Windows Methods (runas command):
Step 1: Decide who gets access
Problem: Do they all get the admin password?
Risk: If password is shared, it defeats the purpose
Step 2: Explain the command
"Use: runas /user:admin notepad.exe"
Problem: Most help desk staff struggle with command line
Help desk calls: "What do I type again?"
Step 3: Password changes every 90 days
Problem: Have to re-train all 150 people
Problem: Some still use old password
Problem: Password sits in scripts or documentation
Step 4: Someone leaves the company
Problem: They still know the admin password
Risk: Former employee could log in remotely
Step 5: Audit time arrives
Auditor asks: "Who has admin password?"
Your answer: "Uh... probably around 200 people"
Auditor's reaction: "That's a critical security finding"
Using Advanced RunAs:
Step 1: Configure in console
- Select "Printer driver installation"
- Assign to "Help Desk Technicians" group
- Set to require log entries
Done.
Step 2: Deploy to workstations
Group Policy push or manual installation
Done.
Step 3: Users run elevated app
Double-click "Install Printer Driver"
Application launches as admin
Users have no idea how it works (they don't need to)
Step 4: Password changes
No impact on users (they don't know the password)
Everything keeps working
Step 5: Someone leaves
Remove them from "Help Desk Technicians" group
Access immediately revoked
Done.
Step 6: Audit time
Auditor asks: "Who can run admin tasks?"
You show the list of users and groups
You show complete logs: "User X ran printer driver installer at 2:15 PM on Oct 15"
Auditor marks as "Compliant"
The difference isn’t subtle—it’s the difference between chaos and control.
How Advanced RunAs Works
Advanced RunAs is built specifically to solve the privilege elevation problem for IT teams who need:
- Security without sacrificing usability
- Scalability without management nightmare
- Audit compliance without complexity
Core Features
1. Approved Application Elevation
Define which applications users can run with admin rights. Everything else remains blocked.
Example configuration:
Help Desk Technicians can run:
✓ Printer driver installer
✓ Network adapter configuration tool
✓ Device manager
✓ Windows update utility
✓ Disk cleanup utility
But cannot run:
✗ Command prompt as admin
✗ Registry editor
✗ System configuration
✗ Anything else requiring admin
Users click the application, it runs with admin rights, they never know how it happened.
2. No Password Sharing
The application elevation happens using stored credentials that:
- Users never see
- Never get shared
- Can be changed without disrupting users
- Work with strong, complex passwords
3. Environmental Variable Support
Advanced RunAs can pass variables to applications, enabling complex workflows:
Example: Database administrator needs to access multiple servers
Application: Admin console for database server
Server parameter: %HOSTNAME%
Result: Application auto-connects to the current machine
4. User/Group-Based Permissions
Grant privileges by Active Directory group or individual user:
Domain Admins:
✓ All system administration tools
Tier 1 Support:
✓ Device manager
✓ Network troubleshooting tools
✓ Printer management
Tier 2 Support:
✓ All Tier 1 tools plus:
✓ System event logs
✓ Performance monitor
✓ Service management
Finance Department:
✓ Accounting application (elevated)
✓ Nothing else
5. Comprehensive Logging and Auditing
Every elevation attempt is logged:
Timestamp: 2025-10-30 14:32:15
User: john.smith
Computer: HQ-TECH-04
Application: Printer Driver Installer
Status: SUCCESS
Command Line: C:\Windows\System32\PrintUI.exe /il
(Every failed attempt, every successful run, everything is recorded)
This creates an audit trail that satisfies:
- SOX (Sarbanes-Oxley)
- HIPAA (healthcare)
- PCI-DSS (payment processing)
- SOC 2
- ISO 27001
- GDPR compliance requirements
6. Transparent to Users
Users don’t need to know anything about privilege elevation:
Old way (using runas):
User learns: runas /user:admin /savecred "command"
User forgets: What was that syntax again?
User calls help desk: Can you run this for me?
New way (using Advanced RunAs):
User sees: Shortcut called "Install Printer Driver"
User does: Double-click it
User expects: Application runs
Result: Exactly what they expected
Real-World Use Cases for Advanced RunAs
Use Case 1: Help Desk Self-Service
The Challenge:
Help desk team needs to:
- Install software and drivers
- Configure network settings
- Manage user accounts
- Access system tools
But you don’t want to give them full admin rights due to security risk.
The Solution:
Use Advanced RunAs to grant specific permissions:
Help Desk Staff Group has access to:
→ Device Manager (manage hardware)
→ Services Management (restart services)
→ Printer Management (manage printers)
→ Network Settings (configure network)
→ User Account Management (reset passwords)
→ System Event Viewer (troubleshoot issues)
Results:
- Help desk resolves 80% of issues independently
- Reduced escalations to senior admins
- Faster resolution time
- Less time on help desk calls
Real numbers from IT team using this:
Before Advanced RunAs:
- 40 escalations per week to senior admins
- Help desk works overtime 3x per week
- Average ticket resolution: 2.5 hours
After Advanced RunAs:
- 8 escalations per week to senior admins
- Help desk normal hours maintained
- Average ticket resolution: 45 minutes
Use Case 2: Manufacturing/Operations
The Challenge:
Factory floor supervisors need to access specialized equipment software that requires admin rights. You can’t give them full admin access (they could accidentally break the system or install malware).
The Solution:
Restrict their elevated access to only the equipment software:
Factory Floor Supervisors can run:
✓ Equipment Control Software v3.2
✓ Equipment Status Monitor
✓ Device drivers for manufacturing equipment
Cannot access:
✗ Anything else
✗ Command line
✗ Registry
✗ System settings
Results:
- Operators manage equipment autonomously
- No accidental system damage
- Security maintained
- Productivity increased
Use Case 3: Finance Department
The Challenge:
Accounting team uses specialized financial software that requires admin rights for proper function. You need to:
- Secure access to the application
- Prevent users from accessing other system functions
- Maintain audit trail for financial compliance
The Solution:
Advanced RunAs elevates ONLY the financial application:
Accounting Team can run:
✓ Financial Management Software (elevated)
✓ Nothing else
Every run is logged with:
- Who accessed it
- When it was accessed
- What transactions were processed
- Complete audit trail
Results:
- Application works correctly with proper permissions
- Financial compliance requirements met
- Audit ready at all times
- Unauthorized access is impossible
Use Case 4: Remote Workforce
The Challenge:
Remote workers need admin access to their own computers (VPN setup, printer installation, etc.) but you can’t trust them with full admin rights.
The Solution:
Deploy Advanced RunAs on remote machines to enable self-service elevation for specific tasks:
Remote Workers can run:
✓ VPN Client (requires admin to install/configure)
✓ Printer Management (install local printer)
✓ Network Diagnostics (troubleshoot connectivity)
✓ Software updates (elevated required)
Cannot run:
✗ Other applications
✗ Full admin command line
✗ System modifications
Results:
- Remote workers self-service simple tasks
- Help desk doesn’t need to remote in for every printer install
- Security maintained (no full admin rights)
- Productivity improved (no waiting for help desk)
Advanced RunAs vs. Competitors
Quick Comparison
| Feature | Advanced RunAs | Free alternatives | Enterprise solutions |
|---|---|---|---|
| Cost | Low | $0 | $$$$ |
| Setup Time | 30 minutes | 4-8 hours | Weeks |
| Ease of Use | Simple | Complex | Very Complex |
| Scaling | Unlimited devices | 1-5 devices | Enterprise |
| Support | Good | Community | Excellent |
| Audit Trail | Comprehensive | Basic/None | Comprehensive |
| On-Premise | Yes | Maybe | Yes |
| Cloud Required | No | No | Often Yes |
Why Advanced RunAs wins for mid-market organizations:
- Affordable: No per-user/per-device licensing
- Fast deployment: Working in 30 minutes, not weeks
- On-premise: Complete control, no cloud dependency
- Enterprise-grade features: Audit, logging, permissions
- Support matters: When things go wrong, you have help
Implementation: Getting Started with Advanced RunAs
Step 1: Assess Your Needs (15 minutes)
Ask yourself:
- Which applications need elevated access?
- Who should have access to each application?
- What compliance requirements do we have?
- How many computers will this affect?
Step 2: Install Advanced RunAs (10 minutes)
- Download from steelsonic.com/advanced-runas/
- Run installer on admin machine
- Follows standard Windows installer process
Step 3: Configure Elevated Applications (20 minutes)
Example: Allow help desk to run Device Manager as admin
1. Open Advanced RunAs console
2. Click "Add Application"
3. Browse to: C:\Windows\System32\devmgmt.msc
4. Set permission to: "Help Desk Group"
5. Enable logging: YES
6. Save
Done. Device Manager is now available to help desk staff with auto elevation.
Step 4: Deploy to User Computers (Varies)
Option A: Group Policy (Active Directory domain)
- Create Group Policy Object
- Point to Advanced RunAs installation
- Apply to target computers
- Done (automatic rollout)
Option B: Manual Installation
- Copy installer to computers
- Run on each machine
- Or: Batch deployment using your deployment tool
Option C: Using your deployment tool
- SCCM, Intune, PDQ Deploy, etc.
- Point to Advanced RunAs installer
- Deploy as you would any software
Step 5: Test and Validate (10 minutes)
- Test on one user’s computer
- Verify applications launch with admin rights
- Check logs to confirm it’s being recorded
- Gather feedback from user
Step 6: Full Rollout
Deploy to all target computers and users.
Total implementation time: 1-2 hours from concept to deployment.
Security Best Practices with Advanced RunAs
When implementing any privilege elevation solution, follow these security practices:
1. Principle of Least Privilege
Grant only what’s necessary:
❌ DON’T:
Give IT staff access to:
- Command prompt as admin (dangerous!)
- Registry editor (too much power)
- All system administration tools
✅ DO:
Give specific permissions for specific tasks:
- Printer driver installer (for printer troubleshooting)
- Device manager (for hardware issues)
- System event viewer (for diagnostics)
2. Regular Audits
Review logs regularly:
- Who accessed what, when, and why
- Look for unusual patterns
- Disable access for people who no longer need it
- Update permissions as roles change
Red flags to watch:
- User running elevated applications at unusual times
- Multiple failed attempts (indicates compromise attempt)
- Person accessing apps they shouldn’t have access to
3. Strong Credential Management
For the account that provides the elevation:
✅ DO:
- Use a strong, complex password (16+ characters)
- Change password every 90 days
- Use a service account (not a personal admin account)
- Limit who knows about the account
❌ DON’T:
- Use the same password as other admin accounts
- Write the password down
- Share with other IT staff
- Use a named person’s account (if they leave, chaos)
4. Group-Based Permissions
Use Active Directory groups, not individual users:
✅ DO:
Create group: "Help Desk Tier 1"
Assign all Tier 1 help desk staff to this group
Grant elevated access to this group
Result: When someone joins/leaves, just add/remove from group
❌ DON’T:
Assign each user individually
When someone leaves: Remember to remove their access?
When new person joins: Remember to add their access?
Result: Inconsistency, forgotten permissions, security risks
5. Monitor Failed Attempts
Advanced RunAs logs both successful and failed elevation attempts.
Failed attempts indicate:
- Users trying to run unapproved applications
- Possible compromise attempts
- Permissions that need adjustment
Monitor for:
- Multiple failures in short time (attack pattern)
- Attempts to run dangerous applications
- Access outside normal working hours
6. Disable When Not Needed
If an application no longer requires elevation:
- Remove it from Advanced RunAs
- Users revert to standard permissions
- Reduces attack surface
Troubleshooting Common Issues
Issue 1: Application Won’t Launch
Symptom: User clicks to launch elevated app, nothing happens
Causes:
- Application path incorrect
- Application doesn’t exist on this computer
- Application requires specific files/dependencies
- User doesn’t have permissions to read the application
Solution:
- Verify path in Advanced RunAs configuration
- Test on target computer (does the app exist?)
- Check Windows Event Viewer for errors
- Verify user account has read permissions to the application
Issue 2: “Access Denied” Error
Symptom: User launches app but gets “Access Denied” error
Causes:
- Credentials aren’t set up correctly
- User account doesn’t have permission to run the app
- Firewall/antivirus blocking the elevation attempt
Solution:
- Verify credentials are correct in Advanced RunAs configuration
- Test the credential account manually (can it access the app?)
- Check antivirus/firewall logs for blocks
Issue 3: Audit Logs Not Appearing
Symptom: Application launches but no log entry
Causes:
- Logging not enabled in Advanced RunAs
- Log location not configured correctly
- Permissions issue preventing log write
Solution:
- Enable logging in Application settings
- Verify log file location is writable
- Check Windows Event Viewer for Advanced RunAs events
FAQ: Advanced RunAs Common Questions
Q: Does Advanced RunAs work in workgroup environments (no Active Directory)?
A: Yes. You can assign permissions by individual users or local groups on each computer.
Q: Can I use Advanced RunAs with remote work/VPN?
A: Yes. Advanced RunAs works on any Windows computer, remote or on-premise.
Q: What if our admin password changes?
A: Update it once in Advanced RunAs console. All users automatically get the new credentials. No need to re-configure individual users.
Q: Can users elevate applications not approved by IT?
A: No. Advanced RunAs only elevates the specific applications you configure. Everything else is blocked.
Q: Does it work with 32-bit and 64-bit applications?
A: Yes. Advanced RunAs handles both transparently.
Q: Can I audit who ran what and when?
A: Complete audit logs with timestamp, user, computer, application, and success/failure status.
Q: Does it slow down the application?
A: No. The elevation happens in milliseconds. Applications run at normal speed.
Why Advanced RunAs Is Better Than “Just Give Them Admin”
Let’s be direct about the alternative many organizations consider when frustrated with permission issues:
“Why don’t we just give users local admin rights? It would solve all these problems.”
Here’s why that’s a terrible idea:
1. Security Nightmare
Every compromised user account becomes a compromised admin account:
User gets malware from email attachment
↓
Malware has admin rights
↓
Malware spreads across network
↓
All systems compromised
↓
Ransomware deployed
↓
Business down for weeks
2. Compliance Violations
Almost every compliance standard requires least privilege:
- SOX (Sarbanes-Oxley)
- HIPAA (healthcare)
- PCI-DSS (payment processing)
- GDPR (data protection)
- SOC 2
If you give all users admin rights and get breached, you fail audits and face penalties.
3. Human Error
With admin rights, one mistake becomes a catastrophe:
User tries to delete temp files and accidentally deletes system files
User disables antivirus to troubleshoot one thing and forgets to re-enable
User installs software that conflicts with critical systems
User changes security settings without realizing impact
Without Advanced RunAs, these mistakes get replicated across the network.
4. Cost
People think giving admin rights saves time. Reality:
Cost of security breach from compromised admin account: $5,000,000+
Cost of compliance violation from failing audit: $100,000+
Cost of help desk time managing all the problems: $50,000/year
Cost of Advanced RunAs to prevent this: $200/year
The ROI on Advanced RunAs is about 25,000:1
The Bottom Line
You face a choice:
Choice A: Give users the permissions they need to do their job while maintaining security, audit compliance, and help desk efficiency.
Choice B: Give users full admin rights, accept the security risks, fail compliance audits, and hope nobody gets breached.
Advanced RunAs makes Choice A actually possible.
It’s the solution forward-thinking IT teams are implementing. Help desk productivity goes up. Security posture improves. Compliance requirements are met. Users get what they need without chaos.
Getting Started Today
Download Advanced RunAs from Steelsonic →
What you get:
- Free to try
- Works on Windows 10 through Windows 11
- Comprehensive documentation
- Video tutorials
- Professional support
Next steps:
- Download and install
- Identify your first use case (help desk printer driver installation?)
- Configure that one application
- Deploy to a test group
- Gather feedback
- Roll out across your organization
You don’t need to give users full admin rights. You don’t need help desk chaos. Advanced RunAs eliminates the false choice between security and usability.
About Steelsonic
Steelsonic develops essential software for IT support professionals and system administrators. Our products help organizations achieve the right balance between user productivity and security.
Advanced RunAs – Let standard users run admin applications securely
Ping Monitor – 24/7 network monitoring with real-time alerts
Network Inventory – Automated IT asset discovery and tracking
Whether you’re managing a small office or distributed enterprise, Steelsonic tools scale to meet your needs. Join thousands of IT teams that have ditched the admin rights dilemma and embraced controlled privilege elevation.