Microsoft Elevated Privileges Application Launcher (EPAL) Step-by-Step guide
Well, first of all we need to download this free program from the link bellow:
Update: The tool is no longer available from Microsoft
In this guide I’m going to demonstrate how to run an adddir.cmd script which requires local administrative rights on a machine in a login script of a user without those rights.
For performing this guide you should be logged on with Domain Admin Account.
1. Login to one of your domain controllers
2. Create a security group called “Privileged Applications”(You could use any group that already local admin on your desktops, don’t use the “Domain Admins” group because of the security measures)
3. Create a new Group Policy called “Privileged Applications” under the OU of your desktop computers.
6. Copy the epal.exe to the NETLOGON dir
7. I’ve created a script called ADDDIR.CMD in NETLOGON dir for testing purposes
The text in the script:
Something that you can’t do without privileged rights
8. Now we have to register our “ADDDIR.CMD” Script with:
epal /r /c:OU=”Privileged Programs” \\contoso.com\netlogon\ADDDIR.CMD
11. Put the “ADDDIR” user account to be a member of a “Privileged Applications” Group
12. Now we add the EPAL row in our login script to run ADDDIR.CMD
\\contoso.com\netlogon\epal.exe /c:”OU=Privileged Programs” \\contoso.com\netlogon\ADDDIR.CMD
13. Now we restart our Windows Desktop and login
14. You will get an Event at the “Event Viewer” in Application section that will tell you that your application successfully launched