How to start cmd.exe BOTH as administrator locally AND domain admin?

  • Thread starter Thread starter HAL07
  • Start date Start date
H

HAL07

The new security model of Vista is nice. But I have the following problem: Some administrative actions cannot be started even if
it's run under Domain Admins.
e.g. if I am domain admin and type NET STOP SPOOLER as domain admin, you get Access denied on the local Vista system.

I then made a shortcut for C:\Windows\System32\cmd.exe /c runas /user:domain\adminuser cmd.exe which will start CMD as adminuser.
I then right-click on this shortcut and press run as administrator.
But it's still giving me access denied.

I have some scripts that needs to be run as both Domain Admin, and Local Admin.
How do I do this , except for modifying all my scripts?
 
User contexts are not additive - you cannot log on as user A, and run a
program as user B, expecting the result to be a combination of A+B's rights.

RunAs will _discard_ the current user's context in favour of a different
user's context.

What _is_ additive is the concept of group memberships - a user can be a
member of several groups. What you need to do, in order to get domain and
local administrator access is to create a domain account that is a member of
the Domain Administrators group, and then make that account also a member of
the local Administrators group on the machine you're working on. Or maybe
you want all Domain Admins to be local admins, which you can do by adding
the Domain Administrators group as a member of the local Administrators
group.

Alun.
~~~~
 
Alun said:
User contexts are not additive - you cannot log on as user A, and run a
program as user B, expecting the result to be a combination of A+B's
rights.

RunAs will _discard_ the current user's context in favour of a different
user's context.

What _is_ additive is the concept of group memberships - a user can be a
member of several groups. What you need to do, in order to get domain
and local administrator access is to create a domain account that is a
member of the Domain Administrators group, and then make that account
also a member of the local Administrators group on the machine you're
working on. Or maybe you want all Domain Admins to be local admins,
which you can do by adding the Domain Administrators group as a member
of the local Administrators group.

Alun.
~~~~

I know that. however the user _is_ a member of domain admins, and domain admins _are_ member of local administrators.
Still no go.
 
Back
Top