Solved

Microsoft, Windows, XP - Runas without loading elevated user settings

Posted on 2007-12-04
12
1,339 Views
Last Modified: 2013-12-08
Is it possible to use 'runas' to gain elevated privs to an app AND retain the current profile/HKCU/env/settings etc?

This is the scenario.
In a corp environment there are a number of end users who have limited access to Internet Explorer settings tabs (i.e. tools, internet options)
A website these users need is poorly written and uses unsigned activex content, which these users are unable to download due to restrictions in group policy, which I have no direct access to.

I can move the user accounts to an different organisational unit in AD which through GP grants access to these extra tabs, then change the setting I want in IE, then move the user account back to the original OU and gpupdate on the client machine, but its messy, and I want to make this easier, and do-able by the service desk.

I was hoping to use runas, but what I have read so far implies that the runas user account settings are loaded, stopping me from changing the current users settings.

I thought that the runas qualifiers '/noprofile' or '/env' would help, but I dont believe they do.

Is there a way round, or is this just the limitations of the runas command, and if so, can anyone suggest a work around?
Thanks
0
Comment
Question by:StinkyPete
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
12 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20401978
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages. See http://www.jsifaq.com/SF/Tips/Tip.aspx?id=6644
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 20402432
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
0
 
LVL 6

Author Comment

by:StinkyPete
ID: 20402514
Ok ..

KCTS:
If it is a site that you need and trust why not just add the site to the list of trusted sites - that will allow users to run the controls without the need for elevated privilages.
 - Our global group policy would over ride it

CoccoBill:
Or create an installation package of the activex and deploy it to the users that need it via GPO software installation.
 - Dont have admin access to the website, its managed by a team in Germany.

Thanks very much for both your comments.

I accept that the correct approach is to fix the ActiveX credentials so to speak, and eventually this will happen.

But my question is about runas .. The example I have explained only serves to highlight the possible limitations of runas.

I am hoping for a definitive answer to the runas question, effectively : can runas be used to authenticate a process, but not use/load anything else from the account ?

0
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

 
LVL 70

Expert Comment

by:KCTS
ID: 20402557
If you put the users into an OU you can apply the group policy to add the trusted site to that OU and it would take presidence.
0
 
LVL 6

Author Comment

by:StinkyPete
ID: 20402639

KCTS: - As I said originally, unfortunately, here in the UK, we have no access to group policy. Its a global company.

0
 
LVL 70

Expert Comment

by:KCTS
ID: 20402661
A group policy is the only sensible option, certainly preferble to using runas - I suggest you discuss the matter with your IT department.
0
 
LVL 6

Author Comment

by:StinkyPete
ID: 20402774

KCTS: - I dont believe that using GP to set MSIE to accept unasigned activeX content for end users is the right way to go.

Can anyone tell me : Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 100 total points
ID: 20402855
You shouldn't set IE to accept any unsigned activex content, just from that particular server.

To your question, no, afaik it cannot be done with runas, unless the activex can be installed for "all users", that is under HKEY_USERS not HKEY_CURRENT_USER. Runas uses the secondary login function, and is always run under the context of a different user, it can't per se be used to grant temporary admin privileges to a certain user context.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20402883
I'm not suggesting that you grant all users the ability to run unasigned activeX content from all sites - just for the particular site by adding the site as a "trusted site" - see my previous comments.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 20403093
Can RUNAS be used only to authenticate an executable, but not use/load anything else (take on the identity)  of/from that account ?

You can try using the following....

runas /noprofile /env /user:UID iexplore

RUNAS USAGE:

RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
        /user:<UserName> program

   /noprofile        specifies that the user's profile should not be loaded.
                     This causes the application to load more quickly, but
                     can cause some applications to malfunction.
   /env              to use current environment instead of user's.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 150 total points
ID: 20403172
Runas is NOT designed to work this way. GPO would be the ideal thing.....secondly, you can capture the ActiveX in the Temporary Internet Files, and try and package it out that way......

In the TIF's, look for a .cab file.... Probably just a .dll and an .inf that as all the regsvr32 commands in it anyway. Just uninstall the control fom a machine, and capture it on the reinstall.
0
 
LVL 6

Author Closing Comment

by:StinkyPete
ID: 31413110
Can runas be used to execute an app that then retains access to parent user settings=No - But worth remembering the "all users" commonality

Solution I used the problem was to obtain the activex content from TIF and have the helpdesk use regsvr32 to push it out to a limited number of users. So, why not GP in this instance ? , (i) The website will be changed so that the activex content will work for our global image, much better to increase standards, than to decrease security to accomodate poor systems.  (ii) A request to create a GP to relax MSIE settings, even for an internal server would be rejected, if you think about the security implications, this makes sense. (iii) As the situation is temp, the created GP would be removed shortly anyway.

Thanks to everyone for your comments.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Several part series to implement Internet Explorer 11 Enterprise Mode
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question