To launch an application with Admin creds in a limited account, create a shortcut to the application in the limited account.
Right-click the shortcut > Properties
Add the following to the beginning of the target line.
C:\Windows\System32\runas.exe /savecred /user:Administrator
Then launch it once using the shortcut and enter the Administrator password. All subsequent launches will no longer require you to enter the password.
This will not solve your problem though. Your best bet is to use a Kiosk application.
On the folder (important: set the Applies to for the access rule to This folder only), make sure the user only has these permissions:
- Traverse folder / execute file
- List folder / read data
- Read attributes
- Read extended attributes
(If you're setting a deny entry, block these: Create files, Create folders, Write attributes, Write extended attributes, Delete subfolders and files, Delete, Change permissions, Take ownership.) On the file, deny these permissions for the user:
- Delete
- Change permissions
- Take ownership
That arrangement produces the desired results for me on Windows 10. You can use the Effective Access tab of the folder and file to make sure that you don't have other rules interfering with these.
The user will then be able to read and write that file. The user will be unable to rename the file, create new files in that folder, or delete that file. Note that if the user has the "delete" permission on other files in that folder, it will be able to delete them.
Note, of course, that since the user can write to the file, it could just delete everything in it without deleting the file itself. If you don't trust this user, keep backups.
For Excel files specifically, this doesn't do the whole job. Office programs always save the document to a temporary file, delete the original, then rename the temporary one to the real one. You can kind of get around this by fiddling the Registry as instructed by this Microsoft article. Open this key in the user's account:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Common\General
For Office 2013, change 14.0
to 15.0
. (It's 16.0
for Office 2016.) Create a new DWORD value called EnableSimpleCopyForSaveToUNC
with the data of 1
. You'll also have to change the permissions on the folder to let the user Create files / write data. (But since it's on the folder only, the user won't be able to mess with anything else in it, only create new files.) That will let the user save the Excel document, but sadly, the temporary file will stick around.
Would-be commenters might think that CREATOR OWNER
permissions, hardlinks, or network shares might help with that, but no.
Best Answer
You cannot disallow deletes and expect rename to work, as explained below.
Windows treats a file renaming operation as a deletion of the file and creation of a new file with the new name. Therefore, you absolutely must have one or both of the following two permissions:
Delete
permission on the file itself, orDelete Subfolders and Files
permission on the folder that contains the file.To complete the list, for renaming you require in addition the following permissions:
Write Data
permission on the folder because of the new-file creationRead Attributes
permission to both the folder and the actual fileSynchronize
permission to both the folder and the actual fileList Directory
permission to the folder.These permissions allow the rename command to check for the existence of the file and verify that the file's attributes (for example, the Read Only attribute) don't prevent the rename.