Microsoft, Windows, XP - Runas without loading elevated user settings
Is it possible to use 'runas' to gain elevated privs to an app AND retain the current profile/HKCU/env/settings etc?
This is the scenario.
In a corp environment there are a number of end users who have limited access to Internet Explorer settings tabs (i.e. tools, internet options)
A website these users need is poorly written and uses unsigned activex content, which these users are unable to download due to restrictions in group policy, which I have no direct access to.
I can move the user accounts to an different organisational unit in AD which through GP grants access to these extra tabs, then change the setting I want in IE, then move the user account back to the original OU and gpupdate on the client machine, but its messy, and I want to make this easier, and do-able by the service desk.
I was hoping to use runas, but what I have read so far implies that the runas user account settings are loaded, stopping me from changing the current users settings.
I thought that the runas qualifiers '/noprofile' or '/env' would help, but I dont believe they do.
Is there a way round, or is this just the limitations of the runas command, and if so, can anyone suggest a work around?
Thanks
This is the scenario.
In a corp environment there are a number of end users who have limited access to Internet Explorer settings tabs (i.e. tools, internet options)
A website these users need is poorly written and uses unsigned activex content, which these users are unable to download due to restrictions in group policy, which I have no direct access to.
I can move the user accounts to an different organisational unit in AD which through GP grants access to these extra tabs, then change the setting I want in IE, then move the user account back to the original OU and gpupdate on the client machine, but its messy, and I want to make this easier, and do-able by the service desk.
I was hoping to use runas, but what I have read so far implies that the runas user account settings are loaded, stopping me from changing the current users settings.
I thought that the runas qualifiers '/noprofile' or '/env' would help, but I dont believe they do.
Is there a way round, or is this just the limitations of the runas command, and if so, can anyone suggest a work around?
Thanks
Brian Pierce
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages. See http://www.jsifaq.com/SF/Tips/Tip.aspx?id=6644
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
ASKER
Ok ..
KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
- Our global group policy would over ride it
CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
- Dont have admin access to the website, its managed by a team in Germany.
Thanks very much for both your comments.
I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.
But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.
I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?
KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
- Our global group policy would over ride it
CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
- Dont have admin access to the website, its managed by a team in Germany.
Thanks very much for both your comments.
I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.
But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.
I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?
If you put the users into an OU you can apply the group policy to add the trusted site to that OU and it would take presidence.
ASKER
KCTS: - As I said originally, unfortunately, here in the UK, we have no access to group policy. Its a global company.
A group policy is the only sensible option, certainly preferble to using runas - I suggest you discuss the matter with your IT department.
ASKER
KCTS: - I dont believe that using GP to set MSIE to accept unasigned activeX content for end users is the right way to go.
Can anyone tell me : Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity) of/from that account ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm not suggesting that you grant all users the ability to run unasigned activeX content from all sites - just for the particular site by adding the site as a "trusted site" - see my previous comments.
Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity) of/from that account ?
You can try using the following....
runas /noprofile /env /user:UID iexplore
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/user:<UserName> program
/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/env to use current environment instead of user's.
You can try using the following....
runas /noprofile /env /user:UID iexplore
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/user:<UserName> program
/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/env to use current environment instead of user's.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can runas be used to execute an app that then retains access to parent user settings=No - But worth remembering the "all users" commonality
Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems. (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.
Thanks to everyone for your comments.
Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems. (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.
Thanks to everyone for your comments.