How to start cmd.exe BOTH as administrator locally AND domain admin?

H

HAL07

The new security model of Vista is nice. But I have the following problem: Some administrative actions cannot be started even if
it's run under Domain Admins.
e.g. if I am domain admin and type NET STOP SPOOLER as domain admin, you get Access denied on the local Vista system.

I then made a shortcut for C:\Windows\System32\cmd.exe /c runas /user:domain\adminuser cmd.exe which will start CMD as adminuser.
I then right-click on this shortcut and press run as administrator.
But it's still giving me access denied.

I have some scripts that needs to be run as both Domain Admin, and Local Admin.
How do I do this , except for modifying all my scripts?
 
A

Alun Jones

User contexts are not additive - you cannot log on as user A, and run a
program as user B, expecting the result to be a combination of A+B's rights.

RunAs will _discard_ the current user's context in favour of a different
user's context.

What _is_ additive is the concept of group memberships - a user can be a
member of several groups. What you need to do, in order to get domain and
local administrator access is to create a domain account that is a member of
the Domain Administrators group, and then make that account also a member of
the local Administrators group on the machine you're working on. Or maybe
you want all Domain Admins to be local admins, which you can do by adding
the Domain Administrators group as a member of the local Administrators
group.

Alun.
~~~~
 
H

HAL07

Alun said:
User contexts are not additive - you cannot log on as user A, and run a
program as user B, expecting the result to be a combination of A+B's
rights.

RunAs will _discard_ the current user's context in favour of a different
user's context.

What _is_ additive is the concept of group memberships - a user can be a
member of several groups. What you need to do, in order to get domain
and local administrator access is to create a domain account that is a
member of the Domain Administrators group, and then make that account
also a member of the local Administrators group on the machine you're
working on. Or maybe you want all Domain Admins to be local admins,
which you can do by adding the Domain Administrators group as a member
of the local Administrators group.

Alun.
~~~~
Click to expand...

I know that. however the user _is_ a member of domain admins, and domain admins _are_ member of local administrators.
Still no go.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain user in local administrators != administrator 1
How to use UAC without domain admin account?? 1
proposed changes to UAC mechanism, RunAs, and documentation 3
Admin access to Vista Registry Remote & locally in Admin Approval 0
How do I bring up the Administrator Command Prompt? 10
Running an HTA or WSH script as administrator 1
Standard user - start Explorer as Admin doesn't work 3
permissions to reboot (both locally and remotely) 6

Top