AdminOnDemand 1.4 released May 11, 2022 - Document updated May 11, 2022
AdminOnDemand 2.0 released September 30, 2022
AdminOnDemand 2.3 released October 11, 2023
...
Description
AdminOnDemand allows standard enables specified users without local administrator permissions to perform actions with elevated privileges.
Session elevation enables specified users to control system settings and install or remove any application with elevated privileges. Session elevation is less restrictive than process elevation.
Process elevation enables specified users to execute EXE and MSI files with elevated privileges. Process elevation can be used to control exactly which processes users are allowed to execute with elevated privileges.
...
Session Elevation
If you want to use session elevation, you need to enable it in the “Security” section.
...
Afterward, specify the users/groups that are allowed to use session elevation in the “Validation” section.
...
Users/groups that are “Denied” from session elevation can still use process elevation.
The process elevation rules are not effective during session elevation, unless process elevation is used.
To start a session elevation, a user must click on the CapaOne tray icon and then click the “Start” button.
...
...
Process Elevation
When users want to execute a single process with elevated privileges, all they have to do is right-click the process and select “Run as AdminOnDemand”
...
If Confirmation Text is enabled it will be presented to the user and must be confirmed before proceeding.
...
...
Prerequisites
User Account Control
| Expand | ||
|---|---|---|
| ||
AdminOnDemand requires that User Account Control (UAC) is enabled and configured as described. Configuration can be applied using Group Policy Objects (GPO) or Windows Registry Database (REGDB). |
...
| Expand | ||
|---|---|---|
| ||
If User Account Control is disabled, an “access denied” message is presented.  If User Account Control is enabled, but not configured correctly, a “blocking” message is presented.  .  |
...
Process Elevation Rules
Child Processes
| Expand |
|---|
All applications that use the Windows Command Prompt (cmd.exe) rely on the Console Window Host (conhost.exe) process to interact with other Windows components. As an example, the Console Window Host makes it possible to drag and drop files and folders from Windows Explorer to Windows Command Prompt. It is not uncommon to see multiple instances of the Console Window Host in the Task Manager.  PowerShell and Command Prompt both rely on the Console Window Host. As a result, you need to either allow all child processes (default) or specifically conhost.exe when you create a process elevation rule that allows powershell.exe or cmd.exe  |
...
Hide Run as Administrator
You can hide the built-in “Run as administrator” option in the “Security” section.
The built-in option can only be hidden when session elevation is disabled.
...
Known Issues
Time Sync
| Expand |
|---|
If the time on the device with AdminOnDemand is ahead of the time on the device used to view the dashboard, then the information on the dashboard is not presented accurately. The issue will not affect devices where the time on the device with AdminOnDemand is behind the time on the device used to view the dashboard. The issue will not affect devices where the time is not synchronized because of different time zones.
|
Child Processes
| Expand |
|---|
All applications that use the Windows Command Prompt (cmd.exe) rely on the Console Window Host (conhost.exe) process to interact with other Windows components. As an example, the Console Window Host makes it possible to drag and drop files and folders from Windows Explorer to Windows Command Prompt. It is not uncommon to see multiple instances of the Console Window Host in the Task Manager
PowerShell and Command Prompt both rely on the Console Window Host. As a result, you need to either allow all child processes or specifically conhost.exe when you create a process elevation rule that allows powershell.exe or cmd.exe  |