2 Replies Latest reply on Oct 25, 2017 11:22 PM by Aaron.Parker

    Allow Self-Elevation from a specific folder only

    Aaron.Parker Apprentice

      I'm looking to allow Self-Elevation from a specific folder only; however, when using 'Run with Administrative Privileges' for executables in the target location, execution is blocked. Running the same executable from that location without elevation works fine.

       

      Is this a bug or misconfiguration?

       

      Here's what is configured:

      • Group - defines a local folder path, e.g. %SystemDrive%\TrustedFolder. Subfolders are included. No metadata is specified.
      • Group is added to the Everyone rule (for testing) under Allowed Items, with Allow untrusted owner enabled
      • Enable Self-Elevation on the group rule is enabled
      • Only apply Self-Elevation to items in the list below is enabled
      • The same Group is added to the Self-elevation list

       

      If groups that define an application directly (i.e. the full path to the EXE) are added to the list, they can be elevated OK.

       

      If Self-Elevation is configured with Apply Self-Elevation to all items except items in the list below with no items in the list, elevation from the folder (and anywhere else) works OK.

       

      Running the Rules Analyzer produces no blocked requests.