Run As different user

[njohn]

When using XP, I was able to run different programs (AD, etc) as a Domain
Admin while logged onto the computer as a Domain User. I did this by holding
the shift key down while right clicking on the program and then selecting
"Run as...". At this point, I would type in the Domain Admin's credentials
and be able to do what I needed to do.
How can I do this in Vista? Whenever I click on the "Run as..." it just
runs the program with elevated rights. I am needing to run it with completely
different credentials altogether.
I have tried getting around this by using the Runas command, but it fails
to open AD because it needs elevated privileges (even when running the
command prompt with elevated privileges).
Any help would be greatly appreciated. Thanks in advance!

 

[James Matthews]

Re: Run As different user

look at windows vista enterpirse

--

http://search.goldwatches.com/?Search=Movado+Watches
http://www.goldwatches.com/
http://www.jewelerslounge.com/
"njohn" <njohn@discussions.microsoft.com> wrote in message
news:8170DD80-9339-4D93-8316-A7328F359C9E@microsoft.com...
> When using XP, I was able to run different programs (AD, etc) as a Domain
> Admin while logged onto the computer as a Domain User. I did this by
> holding
> the shift key down while right clicking on the program and then selecting
> "Run as...". At this point, I would type in the Domain Admin's credentials
> and be able to do what I needed to do.
> How can I do this in Vista? Whenever I click on the "Run as..." it just
> runs the program with elevated rights. I am needing to run it with
> completely
> different credentials altogether.
> I have tried getting around this by using the Runas command, but it fails
> to open AD because it needs elevated privileges (even when running the
> command prompt with elevated privileges).
> Any help would be greatly appreciated. Thanks in advance!

 

[njohn]

Re: Run As different user

I am not sure what you mean by that, your post was rather vague.

When looking at Enterprise, what would you like me to see? Does Enterprise
have that capability while the other versions do not? Is there a way to get
that capability in the Business version?


"James Matthews" wrote:

> look at windows vista enterpirse
>
> --
>
> http://search.goldwatches.com/?Search=Movado+Watches
> http://www.goldwatches.com/
> http://www.jewelerslounge.com/
> "njohn" <njohn@discussions.microsoft.com> wrote in message
> news:8170DD80-9339-4D93-8316-A7328F359C9E@microsoft.com...
> > When using XP, I was able to run different programs (AD, etc) as a Domain
> > Admin while logged onto the computer as a Domain User. I did this by
> > holding
> > the shift key down while right clicking on the program and then selecting
> > "Run as...". At this point, I would type in the Domain Admin's credentials
> > and be able to do what I needed to do.
> > How can I do this in Vista? Whenever I click on the "Run as..." it just
> > runs the program with elevated rights. I am needing to run it with
> > completely
> > different credentials altogether.
> > I have tried getting around this by using the Runas command, but it fails
> > to open AD because it needs elevated privileges (even when running the
> > command prompt with elevated privileges).
> > Any help would be greatly appreciated. Thanks in advance!
>

 

[Toad]

Re: Run As different user

njohn wrote:

> When using XP, I was able to run different programs (AD, etc) as a
> Domain Admin while logged onto the computer as a Domain User. I did
> this by holding the shift key down while right clicking on the
> program and then selecting "Run as...". At this point, I would type
> in the Domain Admin's credentials and be able to do what I needed to
> do. How can I do this in Vista? Whenever I click on the "Run
> as..." it just runs the program with elevated rights. I am needing to
> run it with completely different credentials altogether.
> I have tried getting around this by using the Runas command, but it
> fails to open AD because it needs elevated privileges (even when
> running the command prompt with elevated privileges).
> Any help would be greatly appreciated. Thanks in advance!

Hi there,

I just got Vista by virtue of a new machine and was playing around with
UAC. Unfortunately, the runas command provided does not elevate rights
as does the Run as Administrator on the contecxt menu just as you
pointed out.

Anyway, I have compiled up shellas.exe which just calls ShellExecute
API with the runas verb as one of the parameters - this isn't different
than in XP.

So, now I can type shellas somecommand in the Run dialog and not have
to find the exe and right click on it... The command will run with
elevated rights as the user you select in the dialog.

I have gone a step further. In XP, I run as a limited user, but once I
log in, I become an administrator, so that I can optionally run
processes that need admin rights as myself and not another user (e.g.
installs). Upon, logoff I am depricated to a limited user again for the
next time.

I have now dome something similar in Vista, but it works subtley
different and isn't really as necessary any more, but works to keep
myself a limited user until I logon (after explorer desktop starts),
then using shellas I am made an administrator, then can run commands
later with elevated rights as myself and not another user; at logoff, I
am removed from the administrators group.

Toad

--


--

 

[njohn]

Re: Run As different user

I am glad that you were able to program something around this, but this is
something that should be built in! After all, it is following Microsoft's
guidelines for safe practices in a domain environment. I shouldn't need to
write a program to do something that was not only built into the last several
OS's that were released, but also encouraged by Microsoft. I am holding my
breath to see if SP1 will fix this (in my opinion) integral flaw in Vista.

"Toad" wrote:

> njohn wrote:
>
> > When using XP, I was able to run different programs (AD, etc) as a
> > Domain Admin while logged onto the computer as a Domain User. I did
> > this by holding the shift key down while right clicking on the
> > program and then selecting "Run as...". At this point, I would type
> > in the Domain Admin's credentials and be able to do what I needed to
> > do. How can I do this in Vista? Whenever I click on the "Run
> > as..." it just runs the program with elevated rights. I am needing to
> > run it with completely different credentials altogether.
> > I have tried getting around this by using the Runas command, but it
> > fails to open AD because it needs elevated privileges (even when
> > running the command prompt with elevated privileges).
> > Any help would be greatly appreciated. Thanks in advance!
>
> Hi there,
>
> I just got Vista by virtue of a new machine and was playing around with
> UAC. Unfortunately, the runas command provided does not elevate rights
> as does the Run as Administrator on the contecxt menu just as you
> pointed out.
>
> Anyway, I have compiled up shellas.exe which just calls ShellExecute
> API with the runas verb as one of the parameters - this isn't different
> than in XP.
>
> So, now I can type shellas somecommand in the Run dialog and not have
> to find the exe and right click on it... The command will run with
> elevated rights as the user you select in the dialog.
>
> I have gone a step further. In XP, I run as a limited user, but once I
> log in, I become an administrator, so that I can optionally run
> processes that need admin rights as myself and not another user (e.g.
> installs). Upon, logoff I am depricated to a limited user again for the
> next time.
>
> I have now dome something similar in Vista, but it works subtley
> different and isn't really as necessary any more, but works to keep
> myself a limited user until I logon (after explorer desktop starts),
> then using shellas I am made an administrator, then can run commands
> later with elevated rights as myself and not another user; at logoff, I
> am removed from the administrators group.
>
> Toad
>
> --
>
>
> --
>
>

 

[Toad]

Re: Run As different user

njohn wrote:

> I am glad that you were able to program something around this, but
> this is something that should be built in! After all, it is following
> Microsoft's guidelines for safe practices in a domain environment. I
> shouldn't need to write a program to do something that was not only
> built into the last several OS's that were released, but also
> encouraged by Microsoft. I am holding my breath to see if SP1 will
> fix this (in my opinion) integral flaw in Vista.
>
> "Toad" wrote:
>
> > njohn wrote:
> >
> > > When using XP, I was able to run different programs (AD, etc)
> > > as a Domain Admin while logged onto the computer as a Domain
> > > User. I did this by holding the shift key down while right
> > > clicking on the program and then selecting "Run as...". At this
> > > point, I would type in the Domain Admin's credentials and be able
> > > to do what I needed to do. How can I do this in Vista?
> > > Whenever I click on the "Run as..." it just runs the program with
> > > elevated rights. I am needing to run it with completely different
> > > credentials altogether. I have tried getting around this by
> > > using the Runas command, but it fails to open AD because it needs
> > > elevated privileges (even when running the command prompt with
> > > elevated privileges). Any help would be greatly appreciated.
> > > Thanks in advance!
> >
> > Hi there,
> >
> > I just got Vista by virtue of a new machine and was playing around
> > with UAC. Unfortunately, the runas command provided does not
> > elevate rights as does the Run as Administrator on the contecxt
> > menu just as you pointed out.
> >
> > Anyway, I have compiled up shellas.exe which just calls ShellExecute
> > API with the runas verb as one of the parameters - this isn't
> > different than in XP.
> >
> > So, now I can type shellas somecommand in the Run dialog and not
> > have to find the exe and right click on it... The command will run
> > with elevated rights as the user you select in the dialog.
> >
> > I have gone a step further. In XP, I run as a limited user, but
> > once I log in, I become an administrator, so that I can optionally
> > run processes that need admin rights as myself and not another user
> > (e.g. installs). Upon, logoff I am depricated to a limited user
> > again for the next time.
> >
> > I have now dome something similar in Vista, but it works subtley
> > different and isn't really as necessary any more, but works to keep
> > myself a limited user until I logon (after explorer desktop starts),
> > then using shellas I am made an administrator, then can run commands
> > later with elevated rights as myself and not another user; at
> > logoff, I am removed from the administrators group.
> >
> > Toad
> >
> > --
> >
> >
> > --
> >
> >

You can do it with a script as well (available in Vista resource kit).
Basically, it just uses ShellExecute(Ex) API I think also...

I don't think it is an integral flaw. You cannot get elevated rights
without prompting - yes, the OS could provide an EXE just as my shellas
to use from Run or command shell. But, it is trivial to code and I am
sure similar utils are already avaiable on the web. Doing it without
prompting (as XP runas /savecred) is worthless security-wise, although
I did write a much more secure version that can run command aliases
using encrypted user credentials to avoid prompting...

Toad
--

 

[njohn]

Re: Run As different user

I think we are talking on two different levels here. I am wanting to run a
program (Active Directory, Group Policy Management, etc) as a Domain Admin
and not with elevated rights. In XP, 2000, and 9x, you could run an
application as a different user by right clicking, selecting Run As, and
typing in the other user's credentials. I have been unable to do this in
Vista. Supposedly I can do this from the command line (but why should I have
to?), but when I try running (runas /userOMAIN\DOMAIN_ADMIN "mmc
%system%\dsa.msc) from the command line, I get an error 740. This is the
problem I am running into. As such, whenever I am wanting to make a change in
Active Directory (which can be several times a day), I am having to remote to
a XP box, then do the RunAs... domain admin. Why did Vista lose this
functionality that is integral to Network Admins?

"Toad" wrote:

> njohn wrote:
>
> > I am glad that you were able to program something around this, but
> > this is something that should be built in! After all, it is following
> > Microsoft's guidelines for safe practices in a domain environment. I
> > shouldn't need to write a program to do something that was not only
> > built into the last several OS's that were released, but also
> > encouraged by Microsoft. I am holding my breath to see if SP1 will
> > fix this (in my opinion) integral flaw in Vista.
> >
> > "Toad" wrote:
> >
> > > njohn wrote:
> > >
> > > > When using XP, I was able to run different programs (AD, etc)
> > > > as a Domain Admin while logged onto the computer as a Domain
> > > > User. I did this by holding the shift key down while right
> > > > clicking on the program and then selecting "Run as...". At this
> > > > point, I would type in the Domain Admin's credentials and be able
> > > > to do what I needed to do. How can I do this in Vista?
> > > > Whenever I click on the "Run as..." it just runs the program with
> > > > elevated rights. I am needing to run it with completely different
> > > > credentials altogether. I have tried getting around this by
> > > > using the Runas command, but it fails to open AD because it needs
> > > > elevated privileges (even when running the command prompt with
> > > > elevated privileges). Any help would be greatly appreciated.
> > > > Thanks in advance!
> > >
> > > Hi there,
> > >
> > > I just got Vista by virtue of a new machine and was playing around
> > > with UAC. Unfortunately, the runas command provided does not
> > > elevate rights as does the Run as Administrator on the contecxt
> > > menu just as you pointed out.
> > >
> > > Anyway, I have compiled up shellas.exe which just calls ShellExecute
> > > API with the runas verb as one of the parameters - this isn't
> > > different than in XP.
> > >
> > > So, now I can type shellas somecommand in the Run dialog and not
> > > have to find the exe and right click on it... The command will run
> > > with elevated rights as the user you select in the dialog.
> > >
> > > I have gone a step further. In XP, I run as a limited user, but
> > > once I log in, I become an administrator, so that I can optionally
> > > run processes that need admin rights as myself and not another user
> > > (e.g. installs). Upon, logoff I am depricated to a limited user
> > > again for the next time.
> > >
> > > I have now dome something similar in Vista, but it works subtley
> > > different and isn't really as necessary any more, but works to keep
> > > myself a limited user until I logon (after explorer desktop starts),
> > > then using shellas I am made an administrator, then can run commands
> > > later with elevated rights as myself and not another user; at
> > > logoff, I am removed from the administrators group.
> > >
> > > Toad
> > >
> > > --
> > >
> > >
> > > --
> > >
> > >
>
> You can do it with a script as well (available in Vista resource kit).
> Basically, it just uses ShellExecute(Ex) API I think also...
>
> I don't think it is an integral flaw. You cannot get elevated rights
> without prompting - yes, the OS could provide an EXE just as my shellas
> to use from Run or command shell. But, it is trivial to code and I am
> sure similar utils are already avaiable on the web. Doing it without
> prompting (as XP runas /savecred) is worthless security-wise, although
> I did write a much more secure version that can run command aliases
> using encrypted user credentials to avoid prompting...
>
> Toad
> --
>
>