Shortcut RunAs

Will Szymkowski
Will Szymkowski used Ask the Experts™
on
Environment:
Domain/Forest Functional Level 2003
All DC's 2003
Workstation OS Windows 7 Pro
Joined to Domain

Scenario:
I have a unique situation. We currently have a Kiosk machine that has been locked down via Group policy. We also have a generic user called "kioskuser" which Auto Logs on to the domain.

We do not want any users being able to "Log off" or "Shutdown" or "Switch User" so they have been disabled Via group policy. The only setting that they can do it "restart" the machine, which then auto logs on to the "kioskuser" upon startup.

Question:
Becuase we have locked down a bunch of settings with group policy, I would like to know if there is anyway to have a Shortcut on the desktop of "kioskuser" that can only be invoked from the RunAs command. Meaning, I do not want the "kioskuser" to be able to launch this Shortcut "switch user" without typing administrative credentials.

I have been testing this out by have not been able to get it working as needed.

If anyone has any ideas on this issue it would be greatly apprecaited.

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Maybe create a new group of people (exclude admin's) and apply this group policy

Computer Policy -> Administrative Templates -> System -> Logon

double-click on "Hide entry points for Fast User Switching" option and set it to Enabled.


Also, if you do "run as" it will always ask you to use current credentials or another.
not tested... but you could edit the shortcut security and only leave "adminstrators" group or the admin account on that computer.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Author

Commented:
I have created a Shortcut for Switch User. This is on the desktop of the "Kioskuser" account. If i double click the shortcut, it does allow me to launch it without having to type in anything. Ultimately I would like to have it prompt for Username and Password or simply have to right click and "RunAs Administrator".
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Author

Commented:
Thanks for the suggestion Francois but I have tried this already. Basically if you do not have permissions set on the shortcut, you cannot do anything with it. The shortcut icon is missing and also if you right click to do "Run As Administrator" it does not appear. It also does nothing when you double click it.
Senior .Net Developer
Commented:
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-to-force-logoff-from-command-line/8e7507e0-12c8-4ac7-8d5e-a1917e4af997

create this as a batch file.

You should be prompted for the admin credentials:
runas /user:.\administrator "shutdown -f -l -m \\.  -t 1"
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Author

Commented:
Thank you for the comment ged325, I have treid this and yet it works for requesting a password tied to a username but when you enter the credentials it appears to try and logout via the Event Viewer but the users session still stays active and does not logout.
Kyle AbrahamsSenior .Net Developer

Commented:
This is the correct format:
runas /user:.\administrator "<command>"

do you have a command that will logoff the user?  I'm surprised that the user session would still be active after calling shutdown -l
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Author

Commented:
Yeah I have been doing some searching/testing and it appears with the "internal" windows "shutdown" command for Windows 7. It does not appear to work when you are logged in as a User and try to logout with another users credentials. I believe this is due to being able to have multiple session in Windows 7.

You can be logged in as another user and log them out via Task Manager but not with different credentials.

So for the solution I have used Group Policy to remove the LogOff feature. I have then created the batch file using the following command...

runas /user:domain.com\kioskuser  "shutdown /l /f"
This prompts for the currently logged in user "password"

This works for us because this account auto logins to the domain b/c its a Kiosk. So no one using this machine knows the password other than admins.

Thanks for the help everyone!
Kyle AbrahamsSenior .Net Developer

Commented:
I just found the logoff command which should work, but haven't tested it.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Author

Commented:
If you don't mind please post and I will test in my environment.
Kyle AbrahamsSenior .Net Developer

Commented:
local admin version:
runas /user:.\administartor "logoff kioskuser"

domain admin:
runas /user:domain.com\administrator "logoff kioskuser"
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Author

Commented:
Thanks for the update. I have tried this with the domain credentials and it did not work for me. Have you tried this?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial