John Darby
asked on
CMD shell scripting runas
Below I have two statements: the first runs fine, the second gives access denied, even whn I run the script "As Administrator" Both run fine when manually inserted onto the CMD line
Any idea what I am missing? Thanks!
%windir%\system32\runas.ex e /profile /env /user:domain\jdarby2 "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
%windir%\system32\runas.ex e /profile /env /user:domain\jdarby2 "C:\Windows\explorer.exe"
Any idea what I am missing? Thanks!
%windir%\system32\runas.ex
%windir%\system32\runas.ex
ASKER
Thanks; I have been running as Local Admin already, but inside the script execution access to C:\Windows is restricted.
I would think that you'll need to lower the UAC setting. Sometimes it's the only way.
ASKER
UAC settings are set by GPO and cannot be changed without a bunch of hassle :/
ASKER
Update: I lowered UAC to never notify and took ownership of the \Windows directory to the LocalAdmins group; I made sure the account referred in RUNAS is a member of LocalAdmin group...still no love :(
This is just running locally on your own machine (not through a remote session or virtual box or anything)?
ASKER
Yes; it is local...the error almost acts like UAC wants to prompt for elevated perms (run as Admin) and is unable to spawn the Message window. However, UAC has been turned off :/
I've requested more experts on this. Wish I had a quicker answer for you.
Just a thought: What if you referenced a shortcut to explorer instead of explorer.exe directly?
My guess is that Microsoft restricted this in a update because it proved to be a security hole (someone can, after all, do a lot of damage with explorer.exe while in the windows directory).
Just a thought: What if you referenced a shortcut to explorer instead of explorer.exe directly?
My guess is that Microsoft restricted this in a update because it proved to be a security hole (someone can, after all, do a lot of damage with explorer.exe while in the windows directory).
ASKER
Thanks sl8rz,
I think you're on the path...it may be some REG change necessary to execute in the form I have it above. I could go back to my initial need and see if any other method might be suggested:
I need to regularly open a explorer window with an alternate user with specific perms to remote directories.
I think you're on the path...it may be some REG change necessary to execute in the form I have it above. I could go back to my initial need and see if any other method might be suggested:
I need to regularly open a explorer window with an alternate user with specific perms to remote directories.
There's the crux of the matter isn't it...opening an explorer window in someone else's profile? I don't think that would be intentionally block by Microsoft, if the user has admin privileges and the other profile was not admin. However, if the other profile is admin then I'm not so sure.
ASKER
Both ad local admin; the "other" account is also a Domain Admin
I'll try this against both admin and non-admin; it won't surprise me if it works against the non-admin account. If it does, then we'll know that we are dealing with a security barrier designed specifically to prevent this particular action.
ASKER
Thank you
No joy. I think Microsoft is purposefully trying to prevent this.
ASKER
I will dig a bit more
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try these:
1st with Local Admin to see if it works:
%windir%\system32\runas.ex e /profile /env /user:local_Admin "C:\Windows\explorer.exe"
2nd with cmd.exe /k switch as below:
%windir%\system32\runas.ex e /profile /env /user:domain\jdarby2 "cmd.exe /c C:\Windows\explorer.exe"
2nd command isolates two commands to be executed in its own area.
Try and let us know.
Sys.
1st with Local Admin to see if it works:
%windir%\system32\runas.ex
2nd with cmd.exe /k switch as below:
%windir%\system32\runas.ex
2nd command isolates two commands to be executed in its own area.
Try and let us know.
Sys.
Hi,
Our GPOs are very locked down as well. Even when logged in as a local admin and starting using "run as administrator" you're going to have issues if... your scripts are on the C: drive. UAC is a bear about running scripts from C:. Try them from the D: drive and see if that works. Also, using the /env and /profile switches will also break things because they'll try to write the temp info to the user's profile folder temp location - which is on the C: drive.
Not promising this is your issue, but it's dinged us in the past. We get around this by using Sysinternals psexec to launch things like explorer with the -h switch to elevate, the -s switch to use system impersonation, and the -w switch to force the working directory to somewhere not on C:.
Good Luck,
- gurutc
Our GPOs are very locked down as well. Even when logged in as a local admin and starting using "run as administrator" you're going to have issues if... your scripts are on the C: drive. UAC is a bear about running scripts from C:. Try them from the D: drive and see if that works. Also, using the /env and /profile switches will also break things because they'll try to write the temp info to the user's profile folder temp location - which is on the C: drive.
Not promising this is your issue, but it's dinged us in the past. We get around this by using Sysinternals psexec to launch things like explorer with the -h switch to elevate, the -s switch to use system impersonation, and the -w switch to force the working directory to somewhere not on C:.
Good Luck,
- gurutc
ASKER
Thank you all! The reg edit worked. :)
http://www.youtube.com/watch?v=OGHQzg69vsg
If not, let me know. :)