How to allow non-admin users to run a VBS script that requires higher privileges?

Question

I have a vbs script that needs to be provided to end users, but it requires more rights than they have on their locked down workstations - specifically updating some HKLM registry values and stopping/starting a windows service. Is there a way I can provide them with the ability to run the script so that it'll work? e.g. Run As a different user account, without requiring users to have a different account to log in as?

The script isn't part of a login process. It's to allow users who are testing a software product to point their machines at a different 'environment', so they can switch between Test and Live environments.

UPDATE: I'm ok if the only solution means doing something outside VBS, just having some options would be good.

Answer 1

Not without encrypting the password and including it with the VBS script.

There are other options like remote scripting, but those setting may be off depending on if you are part of a domain.

Is the script part of a login process?

edit:

The script isn't part of a login process. It's to allow users who are testing a software product to point their machines at a different 'environment', so they can switch between Test and Live environments.

UPDATE: I'm ok if the only solution means doing something outside VBS, just having some options would be good.

Without more details, the best solution by far that I can recommend is to create a separate user account and modify the ACLs of the Registry keys to explicitly allow that account to modify those keys. Then run the script under that account. Try that.

Answer 2

A bit of a programming-centric answer, but I would write a small .NET Windows service and client application that could communicate securely over WCF/remoting. The service would just listen to requests from the client and, if the client was authorized, run the script. The service would be running as an account with the correct permissions.

EDIT

In a similar strategy, you could set up the script as a scheduled task that is set to run as a user with permissions to do what you need. Then, grant your users permission to execute the scheduled task. To do that, you need to go into %SYSTEMROOT%\System32\Tasks and set the NTFS permissions on the appropriate task file.

Answer 3

One way of doing this would be to use NSSM or a similar tool to run the script as a system service. You can then configure the security on the service to allow the user to start it, and perhaps write a script that does this for them.

Answer 4

If you can set up a scheduled task and have access to the "schtasks" command to run the task, you can set it up to run as any user, or even system access rights, without exposing any passwords or allowing elevated access rights for any command except the one you set up. Since it's a little more involved, here's a link to my answer of another similar question/problem: superuser.com/a/903881/229612

Answer 5

To grant permissions for running scripts on the local computer

1. In Internet Explorer, open %windir%\system32 (for example, C:\WINDOWS\System32).
2. In the Details pane, right-click cmd.exe, and then click Properties.
3. In the cmd.exe Properties dialog box, on the Security tab, click Add.
4. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select box,
5. type the name of the user to whom you want to grant permissions, and then click OK.

In the cmd.exe Properties dialog box, on the Security tab, in the Permissions for Administrators box, select the Allow check box for Read & Execute, and then click OK.