Solved

Microsoft, Windows, XP - Runas without loading elevated user settings

Posted on 2007-12-04
12
1,313 Views
Last Modified: 2013-12-08
Is it possible to use 'runas' to gain elevated privs to an app AND retain the current profile/HKCU/env/settings etc?

This is the scenario.
In a corp environment there are a number of end users who have limited access to Internet Explorer settings tabs (i.e. tools, internet options)
A website these users need is poorly written and uses unsigned activex content, which these users are unable to download due to restrictions in group policy, which I have no direct access to.

I can move the user accounts to an different organisational unit in AD which through GP grants access to these extra tabs, then change the setting I want in IE, then move the user account back to the original OU and gpupdate on the client machine, but its messy, and I want to make this easier, and do-able by the service desk.

I was hoping to use runas, but what I have read so far implies that the runas user account settings are loaded, stopping me from changing the current users settings.

I thought that the runas qualifiers '/noprofile' or '/env' would help, but I dont believe they do.

Is there a way round, or is this just the limitations of the runas command, and if so, can anyone suggest a work around?
Thanks
0
Comment
Question by:StinkyPete
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages. See http://www.jsifaq.com/SF/Tips/Tip.aspx?id=6644
0
 
LVL 19

Expert Comment

by:CoccoBill
Comment Utility
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
0
 
LVL 6

Author Comment

by:StinkyPete
Comment Utility
Ok ..

KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
 - Our global group policy would over ride it

CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
 - Dont have admin access to the website, its managed by a team in Germany.

Thanks very much for both your comments.

I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.

But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.

I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?

0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
If you put the users into an OU you can apply the group policy to add the trusted site to that OU and it would take presidence.
0
 
LVL 6

Author Comment

by:StinkyPete
Comment Utility

KCTS: - As I said originally, unfortunately, here in the UK, we have no access to group policy. Its a global company.

0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
A group policy is the only sensible option, certainly preferble to using runas - I suggest you discuss the matter with your IT department.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 6

Author Comment

by:StinkyPete
Comment Utility

KCTS: - I dont believe that using GP to set MSIE to accept unasigned activeX content for end users is the right way to go.

Can anyone tell me : Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 100 total points
Comment Utility
You shouldn't set IE to accept any unsigned activex content, just from that particular server.

To your question, no, afaik it cannot be done with runas, unless the activex can be installed for "all users", that is under HKEY_USERS not HKEY_CURRENT_USER. Runas uses the secondary login function, and is always run under the context of a different user, it can't per se be used to grant temporary admin privileges to a certain user context.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
I'm not suggesting that you grant all users the ability to run unasigned activeX content from all sites - just for the particular site by adding the site as a "trusted site" - see my previous comments.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

You can try using the following....

runas /noprofile /env /user:UID iexplore

RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /env              to use current environment instead of user's.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 150 total points
Comment Utility
Runas is NOT designed to work this way. GPO would be the ideal thing.....secondly, you can capture the ActiveX in the Temporary Internet Files, and try and package it out that way......

In the TIF's, look for a .cab file.... Probably just a .dll and an .inf that as all the regsvr32 commands in it anyway. Just uninstall the control fom a machine, and capture it on the reinstall.
0
 
LVL 6

Author Closing Comment

by:StinkyPete
Comment Utility
Can runas be used to execute an app that then retains access to parent user settings=No - But worth remembering the "all users" commonality

Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems.  (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.

Thanks to everyone for your comments.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now