user accounts - Giving privilege with expiration in Windows 7
2014-04
Maximin
I have asked this question in security.stackexchange.com, but I was unable to get anything useful. So I am re-posting it here.
In parental control I can restrict the games, applications, and also set time for usage. But how can I grant some privilege (like using some application or playing games) with validity period? To be more specific, I have parental control set to an user account with all games blocked, again if I grant access to play games, it should be valid only up-to the time that I specify, and when the time expires it should roll-back to all games blocked stage.
How can I do this? Do I need any other software to do this?
Note: Down-voters please comment the reason why my question has been down-voted.
Master of Celebration
Since we run Windows 7-clients in our windows-server domain I have a specific use case that has become more inconvenient:
On the client-site, being logged-on as an user with restricted rights and having the user account control (UAC) activated on the highest level, you can run an application with administrative privileges by right-clicking onto it and choosing “Run as administrator”.
After that, a popup window is shown and asks for the username and password.
As a domain member you now have to enter your full hostname with a backslash following and the user name with administrative privileges (e.g. Administrator) in order to authenticate as local administrator.
On XP-machines you simply had to type in “Administrator” for the username.
That makes administration more inconvenient if you run various Windows-7 clients in a company, because you always have to lookup the hostname for the machine on which you want to run something with administrative privileges.
Is there a registry setting or a good workaround that lets you authenticate as administrator without having to enter the hostname for the machine, but not using tools like "RunAsSPC" or "Steel RunAs"?
Stephen Jennings
When you want to authenticate to the local computer, you can use a dot instead of the hostname. This doesn't make the issue go away entirely, but at least it prevents you from having to look up hostnames since . works everywhere.
Username: .\Administrator
Password: *******
In certain contexts, localhost will work instead. I haven't yet found a situation where either . or localhost doesn't work, but I'm sure there is one somewhere.
shf301
How about creating a domain account and/or group that has administrative access to the client PC's and login as that account. Or depending on your access you can always login as a domain admin, who will have admin rights on client PC's. That also means that you don't have to manage local accounts on each PC.
Or if the point is to give your users admin access on their own PC's you could just add their domain account as an administrator to the client PC.
I guess it depends on exactly what your usage scenario is.
harrymc
If the logon account is already an administrator, you can set UAC through Local Policy changes to "Prompt for consent" or "Prompt for consent on the secure desktop".
For the Home version of Windows, there is a registry hack that sets this in :
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System.
Double-click ConsentPromptBehaviorAdmin and set its value to:
2 - Prompt for consent on the secure desktop
4 - Prompt for consent
The much-simpler Consent dialog, where one only has to click Continue, looks like:
