Link to home
Start Free TrialLog in
Avatar of Will Szymkowski
Will SzymkowskiFlag for Canada

asked on

Shortcut RunAs

Domain/Forest Functional Level 2003
All DC's 2003
Workstation OS Windows 7 Pro
Joined to Domain

I have a unique situation. We currently have a Kiosk machine that has been locked down via Group policy. We also have a generic user called "kioskuser" which Auto Logs on to the domain.

We do not want any users being able to "Log off" or "Shutdown" or "Switch User" so they have been disabled Via group policy. The only setting that they can do it "restart" the machine, which then auto logs on to the "kioskuser" upon startup.

Becuase we have locked down a bunch of settings with group policy, I would like to know if there is anyway to have a Shortcut on the desktop of "kioskuser" that can only be invoked from the RunAs command. Meaning, I do not want the "kioskuser" to be able to launch this Shortcut "switch user" without typing administrative credentials.

I have been testing this out by have not been able to get it working as needed.

If anyone has any ideas on this issue it would be greatly apprecaited.

Avatar of kpoineal

Maybe create a new group of people (exclude admin's) and apply this group policy

Computer Policy -> Administrative Templates -> System -> Logon

double-click on "Hide entry points for Fast User Switching" option and set it to Enabled.

Also, if you do "run as" it will always ask you to use current credentials or another.
Avatar of Francois_IT
not tested... but you could edit the shortcut security and only leave "adminstrators" group or the admin account on that computer.
Avatar of Will Szymkowski


I have created a Shortcut for Switch User. This is on the desktop of the "Kioskuser" account. If i double click the shortcut, it does allow me to launch it without having to type in anything. Ultimately I would like to have it prompt for Username and Password or simply have to right click and "RunAs Administrator".
Thanks for the suggestion Francois but I have tried this already. Basically if you do not have permissions set on the shortcut, you cannot do anything with it. The shortcut icon is missing and also if you right click to do "Run As Administrator" it does not appear. It also does nothing when you double click it.
Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for the comment ged325, I have treid this and yet it works for requesting a password tied to a username but when you enter the credentials it appears to try and logout via the Event Viewer but the users session still stays active and does not logout.
This is the correct format:
runas /user:.\administrator "<command>"

do you have a command that will logoff the user?  I'm surprised that the user session would still be active after calling shutdown -l
Yeah I have been doing some searching/testing and it appears with the "internal" windows "shutdown" command for Windows 7. It does not appear to work when you are logged in as a User and try to logout with another users credentials. I believe this is due to being able to have multiple session in Windows 7.

You can be logged in as another user and log them out via Task Manager but not with different credentials.

So for the solution I have used Group Policy to remove the LogOff feature. I have then created the batch file using the following command...

runas /\kioskuser  "shutdown /l /f"
This prompts for the currently logged in user "password"

This works for us because this account auto logins to the domain b/c its a Kiosk. So no one using this machine knows the password other than admins.

Thanks for the help everyone!
I just found the logoff command which should work, but haven't tested it.
If you don't mind please post and I will test in my environment.
local admin version:
runas /user:.\administartor "logoff kioskuser"

domain admin:
runas /\administrator "logoff kioskuser"
Thanks for the update. I have tried this with the domain credentials and it did not work for me. Have you tried this?