+ 0 Votes You don't have to do this in a Windows 2003 environment Why Me Worry? Updated - 7 years ago Windows 2003 is very different from older versions of Windows when it comes to security and groups. What you will have to do is create an exception rule for the executable file in the Data Execution Prevention section of My Computer properties to allow the application unrestricted access to run under the context of a local admin without having to explictly give the users admin rights to their machines. I am very reluctant to give end users admin rights to their PCs' because they will eventually figure out that their machines are not locked down and will start to tinker with all sorts of settings, creating a problem for desktop support and the admins. + 0 Votes Run As is useful, DaveLissa 6 years ago ....but I think the user wanted a way to stop desktop users from installing programs, and at the same time, give users ways to run software that allows changes that usually only local administrators have. Good information, though. + 0 Votes Also in need of a solution neebski 7 years ago Hello there, I am also looking for this exact same solution. I have users that use BW and when printing payroll they need power user permissions. My users are currently running as domain admins but I didn't tell them that. Its just a temporary fix for the users that need to use this particular piece of software but if anyone does know a fix please let us know! Thanks so much! - Kevin Neberman + 0 Votes Give them access to the folders DaveLissa Updated - 6 years ago I had a similar problem a while ago, but I think it was in Microstation. I made them restricted users, but gave "Everyone" group full rights to Microstation folder and subfolders. Worked perfectly. It has to be done manually on each W/S, but you can access the folders from a DC and do it remotely. Hope that helps. + 0 Votes you can use the run as CG IT Updated - 6 years ago or you can use group policy if you have a lot of workstations workstations in which to deploy an application. this option does require some effort administratively in creating the install package. What you do is create a .msi package for deployment and in creating this package you specify how the program runs and what account it runs under. You can use the Run As command. When a user first runs the program, the credentials used during making the .msi package are in use and that is transparent to the user. The program just runs. Also, domain users account often gives uses sufficent rights to install software without having to resort to the power users group. Another option is to create a security group for the sole purpose of installing software granting users of that group the ability to install. Once the application is installed you then remove those users from that group. If needed again, just add the user to that group until the application is installed, then remove them. Of course this is administrative effort, but it does cut down on giving users more privileges than they really need.