3

One thing that's annoyed me for a great while about administrating a Windows domain is trying to work primarily from a limited user account. Much of what I do on my workstation on a day to day basis doesn't require admin rights, so I prefer to run as a limited user for security reasons. The problem, of course, are all those times when I have to do something as a domain admin.

With Windows Vista "fast user switching" finally worked for machines in a domain, but I have a few problems with it: 1) Switching is slow, 2) About one out of five times, switching user accounts will cause Vista to forget my display settings to the point where they cannot be restored without a restart. Fun stuff.

Often times I only need a file browser to run with elevated privileges, and it appears as though there's no way to run an Explorer instance in this manner (via Runas). It also appears that browsing files via IE is now just running an Explorer process, and is thus limited in the same way.

I've been running FreeCommander via Sysinternals ShellRunas for this purpose, and it works. It's just not a good experience.

I would kill for something closer to sudo. Am I completely missing something obvious?

Boden
  • 4,948
  • 12
  • 48
  • 70

7 Answers7

2

You are doing the right thing running as a limited account.

I solve this problem by doing rdesktop to another system (usually a server), and logging in as the domain admin.

Fast user switching is a good method, but if it is causing you headaches, then....

  • I remote in to servers. But when I have to transfer files from my workstation or just set some permissions quickly, it sure would be nice if I could just open a share as an elevated user. – Boden Oct 22 '09 at 17:50
2

You can run Explorer under another user context, but you have to kill the existing Explorer first to do it, and it's really pretty ugly. If you really want to try it, open a command-prompt with "RunAs" and your domain administrator account. From that command prompt, use "Task Manager" to kill the existing "Explorer.exe" and then start a new one. You'll get an elevated "Explorer.exe" running as the domain administrator account.

It's really an ugly hack, though, so I wouldn't do it in practice.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks for this. I'll take your advise and not do it :) Maybe Windows 7 will help me since some of my problems here are directly related to Vista (e.g. wonky user switching). – Boden Oct 22 '09 at 17:46
  • Win7 is perfect for this, I haven't had to pull out any of my runas tricks since moving to it. – atom255 Oct 22 '09 at 18:02
2

I run into this all the time.

If you're looking to do a quick/simple permissions change or copy/rename/delete, just do a runas on notepad or mmc and use the file open dialog box to make the changes.

alt text
(source: microsoft.com)

You can browse to whatever folder you want, right-click for properties/permissions, copy and paste. One thing to note is that the view won't refresh right away, hit F5 after renaming/ moving a file etc.

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
atom255
  • 213
  • 1
  • 3
  • 9
1

I have a script that would launch runas then something else (e.g. MMC) elevated.

Set objShell = CreateObject("Shell.Application")
app = wscript.arguments(0)
args = ""
for i = 1 to (WScript.Arguments.length - 1)
   args = args + wscript.arguments(i)
next
objShell.ShellExecute app, args, "", "runas"

If you hate the constant prompt for creds, perhaps using something that can take creds instead of runas ... but then storing creds in a script exposure plus perhaps eroding the benefit of running as lower account.

JamesR
  • 1,061
  • 5
  • 6
  • Thanks. The problem however is running things like Explorer, for which this won't work. BTW, you should check out ShellRunas. – Boden Oct 22 '09 at 17:45
0

I used to do this runas and Internet Explorer in Windows XP. You can then browse files inside the IE window. I have not had the need to try this in Windows Vista though.

0

if remote desktop is enabled, you can use RDP to connect to localhost with alternater creds. the problem is, that this loads the whole user session and a lot of unneeded stuff for just using one program.

EDIT: i haven't tried this with vista (or xp). i am using server 2008 as my workstation and it works great under it.

i2so4
  • 39
  • 2
  • Can you elaborate on this? I get an error: "You are already connected to the console of this computer." – Boden Oct 22 '09 at 17:48
  • 1
    I don't think this would work for something other than server. XP at least locks the console when you connect via RDP, it's still a single user OS. – atom255 Oct 22 '09 at 17:59
0

Do your runas on this:

explorer.exe /separate

The separate is an undocumented flag but it launches it in a separate process window (AKA it will not check for an existing explorer shell before launching)

Shial
  • 1,017
  • 1
  • 9
  • 14