Run As different user

[njohn]

When using XP, I was able to run different programs (AD, etc) as a Domain
Admin while logged onto the computer as a Domain User. I did this by holding
the shift key down while right clicking on the program and then selecting
"Run as...". At this point, I would type in the Domain Admin's credentials
and be able to do what I needed to do.
How can I do this in Vista? Whenever I click on the "Run as..." it just
runs the program with elevated rights. I am needing to run it with completely
different credentials altogether.
I have tried getting around this by using the Runas command, but it fails
to open AD because it needs elevated privileges (even when running the
command prompt with elevated privileges).
Any help would be greatly appreciated. Thanks in advance!

 

[James Matthews]

look at windows vista enterpirse

 

[njohn]

I am not sure what you mean by that, your post was rather vague.

When looking at Enterprise, what would you like me to see? Does Enterprise
have that capability while the other versions do not? Is there a way to get
that capability in the Business version?

 

[Toad]

When using XP, I was able to run different programs (AD, etc) as a
Domain Admin while logged onto the computer as a Domain User. I did
this by holding the shift key down while right clicking on the
program and then selecting "Run as...". At this point, I would type
in the Domain Admin's credentials and be able to do what I needed to
do. How can I do this in Vista? Whenever I click on the "Run
as..." it just runs the program with elevated rights. I am needing to
run it with completely different credentials altogether.
I have tried getting around this by using the Runas command, but it
fails to open AD because it needs elevated privileges (even when
running the command prompt with elevated privileges).
Any help would be greatly appreciated. Thanks in advance!

Hi there,

I just got Vista by virtue of a new machine and was playing around with
UAC. Unfortunately, the runas command provided does not elevate rights
as does the Run as Administrator on the contecxt menu just as you
pointed out.

Anyway, I have compiled up shellas.exe which just calls ShellExecute
API with the runas verb as one of the parameters - this isn't different
than in XP.

So, now I can type shellas somecommand in the Run dialog and not have
to find the exe and right click on it... The command will run with
elevated rights as the user you select in the dialog.

I have gone a step further. In XP, I run as a limited user, but once I
log in, I become an administrator, so that I can optionally run
processes that need admin rights as myself and not another user (e.g.
installs). Upon, logoff I am depricated to a limited user again for the
next time.

I have now dome something similar in Vista, but it works subtley
different and isn't really as necessary any more, but works to keep
myself a limited user until I logon (after explorer desktop starts),
then using shellas I am made an administrator, then can run commands
later with elevated rights as myself and not another user; at logoff, I
am removed from the administrators group.

Toad

 

[njohn]

I am glad that you were able to program something around this, but this is
something that should be built in! After all, it is following Microsoft's
guidelines for safe practices in a domain environment. I shouldn't need to
write a program to do something that was not only built into the last several
OS's that were released, but also encouraged by Microsoft. I am holding my
breath to see if SP1 will fix this (in my opinion) integral flaw in Vista.

 

[Toad]

I am glad that you were able to program something around this, but
this is something that should be built in! After all, it is following
Microsoft's guidelines for safe practices in a domain environment. I
shouldn't need to write a program to do something that was not only
built into the last several OS's that were released, but also
encouraged by Microsoft. I am holding my breath to see if SP1 will
fix this (in my opinion) integral flaw in Vista.

You can do it with a script as well (available in Vista resource kit).
Basically, it just uses ShellExecute(Ex) API I think also...

I don't think it is an integral flaw. You cannot get elevated rights
without prompting - yes, the OS could provide an EXE just as my shellas
to use from Run or command shell. But, it is trivial to code and I am
sure similar utils are already avaiable on the web. Doing it without
prompting (as XP runas /savecred) is worthless security-wise, although
I did write a much more secure version that can run command aliases
using encrypted user credentials to avoid prompting...

Toad
--

 

[njohn]

I think we are talking on two different levels here. I am wanting to run a
program (Active Directory, Group Policy Management, etc) as a Domain Admin
and not with elevated rights. In XP, 2000, and 9x, you could run an
application as a different user by right clicking, selecting Run As, and
typing in the other user's credentials. I have been unable to do this in
Vista. Supposedly I can do this from the command line (but why should I have
to?), but when I try running (runas /userOMAIN\DOMAIN_ADMIN "mmc
%system%\dsa.msc) from the command line, I get an error 740. This is the
problem I am running into. As such, whenever I am wanting to make a change in
Active Directory (which can be several times a day), I am having to remote to
a XP box, then do the RunAs... domain admin. Why did Vista lose this
functionality that is integral to Network Admins?