You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.

With privilege elevation, a user can start certain pre-configured applications, which the VMware Dynamic Environment Manager agent runs elevated on the local desktop, as if the user is a member of the administrators group.
Note: Privilege elevation is not supported for members of the Network Configuration Operators group.
Important: The Privilege Elevation feature grants temporary administrator privileges to a user. The feature must be used only for specific use cases by administrators. It is not intended as a security feature. Use additional security measures to prevent malicious use.
You can configure the following privilege-elevation types.
  • Elevated applications
  • User-installed applications
  • Elevated tasks
See Configure Applications for Privilege Elevation.
For elevated applications, privilege elevation occurs after user logon. To elevate an application outside of the logged-in period of the user, select Elevated task as the privilege-elevation type. For examples of types of tasks to configure using the elevated-task feature, see Configure Logon and Logoff Tasks and Configure Import and Export Tasks.
Mode Description
Elevated applications

Select the applications you want to elevate.

You can elevate applications based on a particular hash, path, or publisher, or on command-line arguments.
  • With hash-based elevation, you can configure one or more hashes, allowing VMware Dynamic Environment Manager to elevate the executable file regardless of the file's location. VMware Dynamic Environment Manager elevates an executable file only if its SHA256 hash is identical to one of the configured hashes.
  • With path-based elevation, you can configure specific file or folder paths to be elevated. VMware Dynamic Environment Manager only elevates an executable file when a user runs the file from one of the configured file or folder paths.
  • With publisher-based elevation, you can enable VMware Dynamic Environment Manager to elevate applications from certain publishers. VMware Dynamic Environment Manager only elevates an executable file if the file's Authenticode signature matches one of the configured publishers.
  • With argument-based elevation, you can configure specific combinations of file paths and command-line arguments to be elevated. VMware Dynamic Environment Manager only elevates an executable file when a user runs the file from one of the configured file paths using a corresponding command-line argument. Users must use the fully qualified path to run the targeted executable files.

    To avoid conflicts with path-based elevation, VMware Dynamic Environment Manager silently ignores argument-based privilege elevation for executable files residing in a folder for which path-based elevation is currently configured, or in a corresponding subfolder. VMware Dynamic Environment Manager runs such executable files with elevation regardless of the specified arguments.

You can only elevate .EXE files. By default, child processes are not elevated. To elevate child processes manually, select Also elevate child processes when you configure an application for privilege elevation.

User-installed applications

Select a folder, from which the user installs elevated applications. You can only use path-based configuration for the user-installed applications.

Child processes are not elevated, unless they are located in the same folder as the elevated applications, the temporary folder of the user, or the temporary folder of the system.

User-installed applications support .MSI and .EXE files.

Elevated tasks

Select the application you want to run as an elevated task.

Executable Fully qualified path to the executable you want to launch with elevation.
Arguments (Optional) Command-line arguments for the executable.
Run asynchronously If enabled, FlexEngine runs the command in the background, without waiting for it to complete.
Timeout (Optional) The amount of time FlexEngine waits for the command to complete. If the command does not complete during this interval, FlexEngine continues, while the command keeps running in the background. If not configured, FlexEngine waits indefinitely for the command to complete. The Timeout setting is not available if Run asynchronously is enabled.

You can only elevate .EXE files. By default, child processes are not elevated. To elevate child processes manually, select Also elevate child processes when you configure an application for privilege elevation.

To launch the configured task, you can call FlexEngine.exe with command-line arguments -LaunchTask "name-of-task" or you can use a VMware Dynamic Environment Manager task. See Configure Logon and Logoff Tasks and Configure Import and Export Tasks.

VMware Dynamic Environment Manager logs status messages for elevated task launches to the FlexEngine-ElevatedTasks.log log file.

Note: If you use application blocking, by default only applications in Program Files and Windows are allowed to run. You might need to create an allow setting to enable the application to run.