Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Microsoft, Windows, XP - Runas without loading elevated user settings

Posted on 2007-12-04
12
Medium Priority
?
1,351 Views
Last Modified: 2013-12-08
Is it possible to use 'runas' to gain elevated privs to an app AND retain the current profile/HKCU/env/settings etc?

This is the scenario.
In a corp environment there are a number of end users who have limited access to Internet Explorer settings tabs (i.e. tools, internet options)
A website these users need is poorly written and uses unsigned activex content, which these users are unable to download due to restrictions in group policy, which I have no direct access to.

I can move the user accounts to an different organisational unit in AD which through GP grants access to these extra tabs, then change the setting I want in IE, then move the user account back to the original OU and gpupdate on the client machine, but its messy, and I want to make this easier, and do-able by the service desk.

I was hoping to use runas, but what I have read so far implies that the runas user account settings are loaded, stopping me from changing the current users settings.

I thought that the runas qualifiers '/noprofile' or '/env' would help, but I dont believe they do.

Is there a way round, or is this just the limitations of the runas command, and if so, can anyone suggest a work around?
Thanks
0
Comment
Question by:StinkyPete
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20401978
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages. See http://www.jsifaq.com/SF/Tips/Tip.aspx?id=6644
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20402432
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
0
 
LVL 6

Author Comment

by:StinkyPete
ID: 20402514
Ok ..

KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
 - Our global group policy would over ride it

CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
 - Dont have admin access to the website, its managed by a team in Germany.

Thanks very much for both your comments.

I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.

But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.

I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?

0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 70

Expert Comment

by:KCTS
ID: 20402557
If you put the users into an OU you can apply the group policy to add the trusted site to that OU and it would take presidence.
0
 
LVL 6

Author Comment

by:StinkyPete
ID: 20402639

KCTS: - As I said originally, unfortunately, here in the UK, we have no access to group policy. Its a global company.

0
 
LVL 70

Expert Comment

by:KCTS
ID: 20402661
A group policy is the only sensible option, certainly preferble to using runas - I suggest you discuss the matter with your IT department.
0
 
LVL 6

Author Comment

by:StinkyPete
ID: 20402774

KCTS: - I dont believe that using GP to set MSIE to accept unasigned activeX content for end users is the right way to go.

Can anyone tell me : Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 400 total points
ID: 20402855
You shouldn't set IE to accept any unsigned activex content, just from that particular server.

To your question, no, afaik it cannot be done with runas, unless the activex can be installed for "all users", that is under HKEY_USERS not HKEY_CURRENT_USER. Runas uses the secondary login function, and is always run under the context of a different user, it can't per se be used to grant temporary admin privileges to a certain user context.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20402883
I'm not suggesting that you grant all users the ability to run unasigned activeX content from all sites - just for the particular site by adding the site as a "trusted site" - see my previous comments.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20403093
Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

You can try using the following....

runas /noprofile /env /user:UID iexplore

RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /env              to use current environment instead of user's.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 600 total points
ID: 20403172
Runas is NOT designed to work this way. GPO would be the ideal thing.....secondly, you can capture the ActiveX in the Temporary Internet Files, and try and package it out that way......

In the TIF's, look for a .cab file.... Probably just a .dll and an .inf that as all the regsvr32 commands in it anyway. Just uninstall the control fom a machine, and capture it on the reinstall.
0
 
LVL 6

Author Closing Comment

by:StinkyPete
ID: 31413110
Can runas be used to execute an app that then retains access to parent user settings=No - But worth remembering the "all users" commonality

Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems.  (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.

Thanks to everyone for your comments.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question