Applications
An administrator can use Privilege Management to elevate a standard user to have administrative privileges for specific applications. This useful if a user requires admin rights to only a few applications and not for everything in order to carry out their role.
Privilege Management can also be used to restrict permissions, for example by allowing a user to have administrative privileges they are granted access to all files, including important system files, and the ability to, for example, delete or rename them. These actions can compromise a system.
Try it yourself
In this example we are going to give the everyone group elevated rights to the CCleaner application because full functionality is required for everyone's role.
- In the Application Control Configuration Editor navigate to Rule Sets > Group > Everyone > Privilege Management.
- Right-click and select Application > File.
The Add a File for User Privilege Management displays. - Enter CCleaner.exe for the File.
- In the Policy section, ensure Builtin Elevate is selected.
- Click Add, the item displays in the Applications list.
- Save and deploy the configuration.
You will need to select Make file an Allowed Item and Allow file to run even if it not owned by a trusted owner if any users are not on the trusted owners list as Trusted Ownership is a higher priority in the rule processing order, see Creating an AC Configuration for more details.
Test it
- Download CCleaner.exe.
- Attempt to install CCleaner.exe, it should install without any need to be an administrator.