Spawn running program instance in user session from admin session

Question

Can't seem to find anything online about this topic because they're all responding to using run as to go the other way (to elevate permissions)

Scenario: there's a program that I want to run under a highly restricted and low privileged user locally on a machine. The user has been created on that machine only really for that purpose. I would like the ability from my admin RDP session to spawn a login of that user and run the program, then log out the admin account leaving the least privilege user logged in but locked.

Is this even a thing? Just curious if anybody's tried this. I'm trying to kick off already-compiled 3rd-party executable, so I can't exactly rescript this as a background service - nor would I really want to because that probably would require too many permissions.

I would also prefer not to add the least privilege user to the remote users group, as that's another account and password to protect. I'd rather leave that laptop at the office, login to it via admin RDP from home, and then kick off the program from the user's context and log off the admin session.

Thoughts?

Answer 1

Use psexec.

psexec -d -accepteula -u <username> -p <passwd> <executable.exe> [arguments]

To avoid introducing a security risk, you should eliminate the -p option and type it in when you are prompted, after running the command.

Alternatively you can use srvany.exe. This will create a Windows service out of a standard executable. Windows services can either start automatically or manually, and can be set to run as any user on the system in services.msc.