How to run a script with administrative rights on logon when a user doesn’t have local admin rights

Microsoft Elevated Privileges Application Launcher (EPAL) Step-by-Step guide
Well, first of all we need to download this free program from the link bellow:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=cf3cc921-9b8e-4266-a905-2e2a20217ce0

Update: The tool is no longer available from Microsoft
In this guide I’m going to demonstrate how to run an adddir.cmd script which requires local administrative rights on a machine in a login script of a user without those rights.
For performing this guide you should be logged on with Domain Admin Account.
1. Login to one of your domain controllers
2. Create a security group called “Privileged Applications”(You could use any group that already local admin on your desktops, don’t use the “Domain Admins” group because of the security measures)
3. Create a new Group Policy called “Privileged Applications” under the OU of your desktop computers.

4. Edit the group policy and in Restricted Groups add the “Privileged Applications” group to be a member of “Administrators”

5. Create an OU called “Privileged Programs” in you Active Directory
6. Copy the epal.exe to the NETLOGON dir
7. I’ve created a script called ADDDIR.CMD in NETLOGON dir for testing purposes
The text in the script:
md c:\windows\system32\test
Something that you can’t do without privileged rights
8. Now we have to register our “ADDDIR.CMD” Script with:
epal /r /c:OU=”Privileged Programs” \\contoso.com\netlogon\ADDDIR.CMD

9. A user and Security group were created in OU “Privileged Applications”
10. Now you should put the users or groups that should launch the ADDDIR.CMD to be a member of an “ADDDIR Application Users” Group. (Don’t put the “Domain Users” , it’s not working)
11. Put the “ADDDIR” user account to be a member of a “Privileged Applications” Group
12. Now we add the EPAL row in our login script to run ADDDIR.CMD
\\contoso.com\netlogon\epal.exe /c:”OU=Privileged Programs” \\contoso.com\netlogon\ADDDIR.CMD
13. Now we restart our Windows Desktop and login
14. You will get an Event at the “Event Viewer” in Application section that will tell you that your application successfully launched
For more information about EPAL go to the following link:http://technet.microsoft.com/en-us/library/bb727155.aspx

Incoming search terms:

  • active directory startup exe script run as administrator
  • login script run as administrator
  • run logon script as administrator group policy
  • run script as administrator group policy
  • running privileged script upon logon windows 7 group policy
  • script ldap shutdown domain stations without admin rights
  • windows logon script admin rights

2 Comments

  1. I have encountered the issue during the steps 8

    Error: Programs

    If I join the “PrivilegedPrograms”

    Error: There is no such object on the server. (-2147016656)

    • Hi Calvin,
      You have to make sure that the “Privileged Programs” exists.
      If it does, try using the full path to the OU. For example, “OU=Privileged Programs,DC=Contoso,DC=Com”.

What do you think about this post?