Blue Iris Non-Admin/Admin

Aug 31, 2017
27
9
Hi, The two separate launch options (non-admin and Admin) doesnt seem to make a difference, We have a non-local admin user trying to access BI with Admin access and he is unable to change the settings of BI, eventhough he has a Admin user account within BI. Admin access of the BI Application seems to be tied to whether the User has Local Admin rights of the machine (active directory) as opposed to the independent settings within BI. any solution to this?
 
I know nothing of BI yet but in some software instances you must manually grant modify or above for the directories that house the config files if you wish for non-admin users to have elevated access to a specific app. Is BI running as a service? That may make a difference. for registry-based config items can get sticky but it is possible most of the time.
 
hmm, This isnt for the config, its launching the actual application, in Blue Iris, there are two launch shortcuts, but they seem to do the same thing regardless of the one you click. If you are a local admin on the machine the application launches perfectly, and you can configure the settings within the application, but if you are not a local admin on the machine, you get prompted for a user and password ( the same for the web interface) and once entered (even if the details you entered were "admin" within BI) you still dont have access to change settings within the software.
 

Attachments

  • non admin.png
    non admin.png
    74.9 KB · Views: 48
my understanding is local admin is required. You could attempt to grant additional NTFS permissions manually but I don't see anything documenting this. I did find this from another site:

"By default, when you run the software, you must be using an administrator account and/or answer Yes to the UAC prompt (the one asking to allow the software to make changes to your computer). However, if you uncheck the box for Require run-as Administrator for the console or when stand-alone, you may allow the console (or the application if not running as a service) to run "as a user." When running in this way, the user may not make any changes to the Blue Iris settings or camera properties. In addition, the user will only be able to manually delete and move clips if they have write access to the folders without administrator privileges. Note also that unless you are running as a service, some features may not be fully functional, such as the web server and automatic software updates.

The default program shortcut that is installed to Windows runs the BlueIrisAdmin.exe, which guarantees the UAC prompt. You may wish to change this to point directly to BlueIris.exe, which does not require the UAC prompt. In this case, you may always still right-click the icon and select "run as administrator" as necessary."

This seems to imply non-admins can run it read-only but only admin accounts can make changes. Although some software can be manipulated as stated above with custom directory permissions, not all software can, this may be one that cannot.
 
because within our organisation, granting local administrator rights (within AD)to users is limited to senior Technical Staff only. Users may request Local administrator but that is only granted on a temporary basis.
 
ah okay, interesting. Makes it sound like a limitation of how the program is written. thanks! :)

actually implies it is written correctly. non-admins should not be configuring appliances or software configurations...that makes them an administrator by definition. In some cases you may have the need for a user on a production workstation to have elevated access to a specific application but in this case the workstation should be dedicated so the impact of an elevated account should be minimized. I think the disconnect here is you are not wishing to dedicate this machine. To protect a bit, you could create 2 accounts one admin and one non admin, have them login as non admin, run the admin app and provide the admin account credentials so that only that app is being executed admin. doesn't lock the machine down from the user but does protect the general system
 
actually implies it is written correctly. non-admins should not be configuring appliances or software configurations...that makes them an administrator by definition. In some cases you may have the need for a user on a production workstation to have elevated access to a specific application but in this case the workstation should be dedicated so the impact of an elevated account should be minimized. I think the disconnect here is you are not wishing to dedicate this machine. To protect a bit, you could create 2 accounts one admin and one non admin, have them login as non admin, run the admin app and provide the admin account credentials so that only that app is being executed admin. doesn't lock the machine down from the user but does protect the general system

the machine is a dedicated box, the person in subject that is dealing with the CCTV system is not a local administrator. I agree, perhaps this permission should be granted if there is no other workaround, i was just inquiring as to whether there is another way around granting this.

could you please explain the difference between the blue iris non-amin and blue iris admin shortcuts in the start menu as they seem to be doing the same thing in this circumstance.


also, i did not mean that the application was programmed incorrectly or any negative implication! just meant that there was not a workaround for my circumstance :)
 
just saw the AD bit, we also have this requirement so will have no choice but to find a way to make it work on your own because it is not designed to work that way. This means YMMV and at your own risk. I would start by adding (not replacing) modify permissions for the non-admin account to the program directory (for application changes) and to the storage directory (for deleting clips, etc) to see how far that gets you. You may also try installing it as a service and configuring that service to run as a local admin account rather than system or as a service admin account (if you have on configured in your directory or create one) to see if that works for you. I defer to the experts specific to BI but I do extensive software packaging and deployment in my day job and have used some of these techniques to provide elevated access.

as far as the 2 shortcuts, its simply an option in the properties to save you from having to right-click and choose run as administrator. This is designed for home use with limited knowledge skills. Also to protect, you dont always want to run the app as admin if you just want playback or review, less risk making inadvertent changes
 
You may need to implement an enterprise solution if you need ultimate authority and control. I deal with this a lot, application owners or business unit technical leads procure software then consider security after the fact. I have no experience with BI yet so I am not certain what can and cannot be achieved with it but your use case is not the primary objective so some concessions may have to be made. Enterprise solutions will definitley cost more so it may come down to dollars and "sense" as to what your final config is.
 
just saw the AD bit, we also have this requirement so will have no choice but to find a way to make it work on your own because it is not designed to work that way. This means YMMV and at your own risk. I would start by adding (not replacing) modify permissions for the non-admin account to the program directory (for application changes) and to the storage directory (for deleting clips, etc) to see how far that gets you. You may also try installing it as a service and configuring that service to run as a local admin account rather than system or as a service admin account (if you have on configured in your directory or create one) to see if that works for you. I defer to the experts specific to BI but I do extensive software packaging and deployment in my day job and have used some of these techniques to provide elevated access.

as far as the 2 shortcuts, its simply an option in the properties to save you from having to right-click and choose run as administrator. This is designed for home use with limited knowledge skills. Also to protect, you dont always want to run the app as admin if you just want playback or review, less risk making inadvertent changes
perfect, thank you for the explanation :) will have a bit of a play.


blue iris is perfectly suited for us as we only have 12 cameras. the featureset, flexibility, and 'Bang for Buck' of Blue iris is incredible, enterprise solutions wouldnt offer much more than BI would for us considering the price. $60 for 64 cameras and a lifetime license. absolute nobrainer :)

thanks again for your help.
 
Anyone ever figure this out? So weird that Blue Iris would need to run as an Admin. Can anyone provide details on what folders and registry entries need to be edited to allow the blue iris user to run the blue iris service?
Also, what about CodeProject.ai (I'm using that in conjunction with BI)?
 
Read the builtin help file on administrator.
No registry or folder's need editing.
 
Read the builtin help file on administrator.
No registry or folder's need editing.

From Blue Iris 5 help (Administration > Windows Administrator Access):

RTFM said:
Blue Iris is security software, and as such requires Windows Administrator access to the PC.

Uhh...respectfully, this is nonsense. There are many security-related software applications that do not require local administrative privileges to run/use. Many/most will require local administrative privileges to install (and possibly to configure), and some will use service configuration or other design to support running with normal/limited privileges.

The Windows Administrator Access entry explains how to configure Blue Iris so that if it runs as a service, it can be opened by a normal/limited user. It then states:

RTFM said:
Instead, you may alter the access rights on the registry key used by Blue Iris to include non-
administrators. The software checks writability to this key when determining if
Administrator access is allowed. Open REGEDIT and locate the key.

HKEY_LOCAL_MACHINE\SOFTWARE\Perspective Software\Blue Iris

You may edit the permissions on this key to provide full control to the Everyone user or to a
specific user or group.

Even though I granted the local Users group full permissions on the specified registry key, added a Blue Iris user that has neither Administrator nor Camera admin privileges (user options), and unchecked the Startup option to "Always run as Windows Admin (use local_console user; no login prompt)," when I attempt to open Blue Iris (C:\Program Files\Blue Iris 5\BlueIris.exe) as a normal/limited user, I see the prompt, "You must run as Administrator or start the service (5)."

I'm running a Blue Iris 5 demo. I want to make sure it will work as required (run as a normal/limited user) before licensing. Any suggestions? Thank you!
 
Last edited:
From Blue Iris 5 help (Administration > Windows Administrator Access:



Uhh...respectfully, this is nonsense. There are many security-related software applications that do not require local administrative privileges to run/use. Many/most will require local administrative privileges to install (and possibly to configure), and some will use service configuration or other design to support running with normal/limited privileges.

The Windows Administrator Access entry explains how to configure Blue Iris so that if it runs as a service, it can be opened by a normal/limited user. It then states:



Even though I granted the local Users group full permissions on the specified registry key, added a Blue Iris user that has neither Administrator or Camera admin privileges (user options), and unchecked the Startup option to "Always run as Windows Admin (use local_console user; no login prompt)," when I attempt to open Blue Iris (C:\Program Files\Blue Iris 5\BlueIris.exe) as a normal/limited user, I see the prompt, "You must run as Administrator or start the service (5)."

I'm running a Blue Iris 5 demo. I want to make sure it will work as required (run as a normal/limited user) before licensing. Any suggestions? Thank you!
So use one of the other VMS options out there...there are hundreds..