Problem solve Get help with specific problems with your technologies, process and projects.

Program helps admins control user privileges in Windows

Winternals Protection Manager allows administrators to define precisely how users can (or can't) do things with applications.

A common complaint about the way Microsoft Windows handles privileges and security is that it still remains somewhat ungranular and clumsy. For instance, if you put a user into a reduced-privilege context, it's hard to selectively allow them elevated privileges without changing their group memberships. If they need to run one application (or a set of apps) that requires admin rights, the administrator needs to contrive a way to allow them to run those programs with elevated privileges.


Although mechanisms exist for doing this in Windows, they are close-ended: You can either do something or you can't. It's difficult to carve out exceptions or grant one-time allowances for something.

One of the best third-party solutions to this problem is Winternals Protection Manager. This application allows an administrator to define much more precise and controlled parameters for how users and groups of users can (or can't) do things with applications.

Each program can be given one of four levels of control: deny, run as limited user, run as administrator or allow normally. The "deny" function doesn't rely on the type of blacklisting/application-image hashing technique used by Group Policy; if told to do so, it will block anything not specifically authorized by the administrator. (You can use hashes, filenames, owners or other methods to define allowed files.) This approach offers an auxiliary benefit: Since any application that isn't specifically allowed can be restricted, viruses and spyware have that much more difficulty getting a toehold. 

Another key feature that isn't supported in Windows by default is the ability to get "run-time requests for permission." A user can attempt to launch an application, and if it's denied, they can petition an administrator to grant them the right to do so, immediately, without having their security policy rewritten. Admins can also "harvest" running applications from systems to see what people are using, and then build their restriction policies from that information. That way they can use real-time data and not guesswork or manually tabulated lists to get a handle on things.

A free evaluation version of the product, which runs totally unrestricted for 30 days, is available. Pricing varies based on the number of seats and servers needed, but a sample quoted price for one server and 25 workstations is $1100.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators.

This tip originally appeared on

Next Steps

Browse network engineering tips

Tool helps administrators run applications with limited user privileges

This was last published in June 2006

Dig Deeper on Network Infrastructure

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.