Windows - Run As Administrator

Note that absolutely none of this is authoritative or directly based on relevant documentation. It’s mostly what I found and figured out and guessed and (in some cases) made up. Some of it may be wrong or dangerous or lead to disaster or confusion. I am not taking responsibility here for anything. Read and act on it at your own peril! Especially now.

This is a more enterprisey post than most. It deals with a very common issue with enterprise software and what many vendors consider best practice.

How to make every user an administrator:

PS C:\WINDOWS\system32> Get-Local​User
Name               Enabled Description
----               ------- -----------
Administrator      True    Built-in account for administering the computer/domain
benoit             True
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
legrand            True
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scenarios.


PS C:\WINDOWS\system32> Get-Local​User|For​Each-Object{Add-Local​GroupMember Administrators $_}
Add-LocalGroupMember : Administrator is already a member of group Administrators.
At line:1 char:30
+ Get-LocalUser|ForEach-Object{Add-LocalGroupMember Administrators $_}
+                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceExists: (Administrators:LocalGroup) [Add-LocalGroupMember], MemberExistsException
    + FullyQualifiedErrorId : MemberExists,Microsoft.PowerShell.Commands.AddLocalGroupMemberCommand

PS C:\WINDOWS\system32> Get-Local​GroupMember Administrators

ObjectClass Name                          PrincipalSource
----------- ----                          ---------------
User        CHAMPIGNAC\Administrator      Local
User        CHAMPIGNAC\benoit             Local
User        CHAMPIGNAC\DefaultAccount     Local
User        CHAMPIGNAC\Guest              Local
User        CHAMPIGNAC\legrand            Local
User        CHAMPIGNAC\WDAGUtilityAccount Local

PS C:\WINDOWS\system32>

Now the server is ready to run enterprise software as per the requirements of many enterprise software vendors.

But to be on the safe side, you can also make all services run as administrator. This will allow services that were designed to run as administrator run as administrator even if the account they run under has insufficient rights:

PS C:\WINDOWS\system32> Get-​Service|ForEach-Object{$name=$_.Name;sc​.exe sidtype $name unrestricted;Add-Local​GroupMember Administrators "NT Service\$name"}
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
[...]
PS C:\WINDOWS\system32>

And don’t forget to disable the firewall:

PS C:\WINDOWS\system32> net​sh advf​irewall set allprofiles state off
Ok.

PS C:\WINDOWS\system32>

Now your server is absolutely enterprise-ready.

Next: TBD