enable "runas" under account, without log into workstations ?

Discussion in 'Server Networking' started by Hernán Castelo, Nov 19, 2004.

  1. hi
    i need to set up an account
    just for execute an .exe vía "RunAs" command
    but preventing to start windows
    with that account on the network

    its possible ?
    Hernán Castelo, Nov 19, 2004
    1. Advertisements

  2. Hernán Castelo

    mmac Guest

    I got the following in response to a similar problem, hope it helps.

    1. Click Start / Control Panel / User Accounts / Create a New Account /
    Name the Account: "able2play" (without quotes) / Next Pick: "Computer-
    Administrator" & Click "Create Account";

    2. Click on your new able2run account and Create a Password for it;

    3. When your limited user wants to run a program that requires
    privileges they can Right-Click the shortcut to that program / Click Run
    As... /
    "The Following User": able2run and enter the password. Simple as that!

    I know what you're thinking: That defeats the purpose of the limited user
    To secure the "able2run" account so that it can't be used to logon to the

    First you can hide the account so that it won't show up on the Welcome
    http://www.dougknox.com/xp/scripts_desc/xp_hide_users.htm (thanks Doug!)

    Next add a shortcut to the windows logoff routine into the RUN key of the
    able2run registry.
    This is a one shot attempt that must be done from within the account.
    Once done you can't gain access to the account again so get it right the
    first time

    4. Logon to the "able2run" account,

    5. Click Start / Run / regedt32 / browse to:
    [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
    Click Edit / New / String value / ValueName: logoff / Value data: logoff

    From now on, if anyone logs on with the "able2run" account, the computer
    will log
    them off immediately. They will not gain access to an administrators
    desktop! :)
    mmac, Nov 20, 2004
    1. Advertisements

  3. I assume for this to work the user able2run needs to be added to the
    administrators group.

    The other thing to keep in mind is that a user does not need to logon as an
    administrator to exploit the power of the account if the user knows
    administrator credentials. For instance the command [ runas /user:able2run
    "net localgroup administrators /add myaccount" ] would prompt the user for
    the credentials for able2run and then add the users account to the local
    administrators group. Granted the average user may not know how to do such
    but it is something to be aware of. --- Steve

    Steven L Umbach, Nov 20, 2004
  4. Hernán Castelo

    mmac Guest

    yes, item 1 states that you create the account as an admin.
    2. thats also true, this would be used as a runas command for the non
    admins. The big point was that we didn't want to add the user to the admins
    group, just be able to use the account for the single program that won't run
    unless on an admin account. Like Quickbooks, Printmaster, and many other
    programs not intended for a file secured environment.
    The downside of this approach is if the user is smart enough he can figiure
    out that the account can be used for other programs as well. We just hope he
    doesn't figure it out.

    mmac, Nov 20, 2004
  5. Understood. It is too bad that there are still too many programs that
    require administrator access to run. If you are lucky they may run as a
    regular user with some permissions mods to program files folder, machine
    registry key for the application, and maybe the all user's profile.
    SysInternals make a couple of tools called filemon and regmon that can help
    with tracking down permissions problems if you logon as regular user and
    invoke them with runas and then looking in their log files for "denied
    access" when application launch fails for places to modify permissions and
    try again. People have told me that Quicken is not too helpful in resolving
    the program. --- Steve

    Steven L Umbach, Nov 20, 2004
  6. Hernán Castelo

    mmac Guest

    You are right on both counts. I have used the tools from sysinternals to
    make programs work with some success but QuickBooks was such a pain to make
    work only to find that the only reason it's was necessary to add alll thoise
    permissions was because QB would simply write a key to see if it could and
    then it deletes it. It does this a dozen times to different keys and then
    never tries again after the intial startup. What a pita! and for nothing!
    and QB support is silent on the matter.
    I know that some programmers arent able to address these issued because
    of the compiler they use or outright inexperience, but I wouldn't think
    Intuit would qualify for that distinction. They are doing it on purpose.

    mmac, Nov 20, 2004
  7. thanks for the replies

    combining local and domain accounts
    (matching its passwords)
    and using the "launch a program when the user login" option
    it might be helpful ?
    Hernán Castelo, Nov 20, 2004
  8. Hernán Castelo

    Alan D. Guest

    A better way to keep someone from logging on with the account might be the

    Start / Control Panel / Administrative Tools / Local Security Policy

    Security Settings / Local Policies / User Rights Assignment / Deny Logon

    Modify that value (Deny Logon Locally) to include the user you have just

    I believe in Windows 2000 "Local Security Policy" may be referred to as
    "Group Policy" but I'm not sure. I ran windows 2000 very briefly before
    switching to XP.

    Alan D., Nov 22, 2004
  9. Hernán Castelo

    mmac Guest

    Not a bad idea. probably better than modifying the registry directly.

    mmac, Nov 23, 2004
  10. Hernán Castelo

    Marco Guest

    Hi Hernán

    what exactly are you trying to accomplish? what application do you need/want
    to run?
    Marco, Nov 23, 2004
  11. thanks for all replies

    i created 5 accounts
    with distinct access levels each one,
    to connect to the Lan application (.exe)
    -- and all of them member of "app_accounts"

    poeple log on the network
    with their own accounts;
    i think in run the application
    with RUNAS commnand (in a .bat for comfort)
    disabling runas for "app_accounts"

    i want to permit the common user to log on
    if he try to access to the app
    runas popup the black window requering
    the password for the account
    and i want to avoid anyone who have installed
    the sql client tools can log on locally
    and do anything
    i say, i want the app_accounts run the app
    not the "users"

    how you see it ?
    Hernán Castelo, Nov 26, 2004
  12. Hernán Castelo

    Jonas Back Guest

    Sorry, but that won't work! I'm on the lookout for exactly the same thing you
    are. We want to make sure our administrators doesn't use their administrative
    account to log on locally on their clients. I assigned a GPO with "Deny Logon
    Locally" right and put a group there which all administrator-users are a
    member of.

    The problem is that you can't even use "RunAs" after that with that user. I
    just did this 5 minutes ago and haven't put much research to it yet. I'll
    post soon again when I've tried it out.

    Jonas Back, Nov 26, 2004
  13. Hernán Castelo

    Jonas Back Guest

    Hi again,

    I just confirmed that you cannot use "Deny Logon Locally"-right if you want
    to make sure the users doesn't login locally with that account.

    Any ideas anyone how to solve this? One suggestions is to check in the
    loginscript if the user is a member of a specialgroup. If it is - just
    logout. And then you assign all those users to that group.

    Jonas Back, Nov 26, 2004
  14. Hernán Castelo

    mmac Guest

    does RunAs behave the same as a "log on locally"? if so then you may have to
    go back to my original setup which forced immediate logoff. But there should
    be a better way...

    mmac, Nov 28, 2004
  15. Hernán Castelo

    Jonas Back Guest

    I haven't tried "Log on Locally", just "Deny local logon".

    But on the other hand it would get a bit complicated. By default "Users" and
    "Administrators" are allowed to login locally. If you assign another group
    that right (for example a special group called "Allowed to login to clients")
    you have to add every single user in the domain to that group, otherwise they
    will not be able to login at all. Or maybe I just haven't thought this thru
    completely yet?

    Jonas Back, Nov 29, 2004
  16. Hernán Castelo

    mmac Guest

    It keeps growing more complicated doesn't it.

    mmac, Nov 30, 2004
  17. Hernán Castelo

    Jonas Back Guest

    Yes it does! :)

    On plan we're discussing is to enfore the use of Smart Cards for
    administrator users. As soon as you need to become an administrator of a box
    you will get another account called username_adm to which you need to login
    with a smartcard.

    Do you have any other plans aswell?

    I will keep you updated how we will solve this problem with logon locally.

    Jonas Back, Nov 30, 2004
  18. Hernán Castelo

    mmac Guest

    I don't want my users to be admins, but for many of the programs they use it
    is necessary. Stupid, but necessary.
    I have more things go wrong because of the screen savers and themes these
    people download than any other job I do. Education doesn't help because they
    dont listen after all, it's just a trouble ticket...
    rant, rant rant .....

    mmac, Dec 2, 2004
  19. Hernán Castelo

    Jonas Back Guest

    I know exactly what you mean. We had the same problem moving to Windows XP.
    Some applications simply wanted to write in the registry for no reason.
    Luckily that was an application developed by our own developers so we told
    them to fix it or get out! :)

    Besides that we've had much luck using FileMon and RegMon but some
    applications simply won't work. Hopefully companies who develop software will
    realize that more and more companies harden their client computers and
    therefore they have to make sure they don't wirte to misc folders and
    registry keys on the local computer.

    Anyway, me myself have been using "least priveleged"-user this whole week
    and I administrate about 200 servers. My standard users only have Domain
    Users and access to my mailbox. Whenever I need to administrate my servers I
    user my other admin-account need to run the MMC as RunAs and I need to do
    something locally on the server i TS and/or connect to the servers C$. Works
    perfect so far and I don't have to worry that I'll infect all of my servers
    if I accidently get infected by a worm on my client. If that worm is not
    capable of running TS-sessions that is :)

    Jonas Back, Dec 2, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.