Avatar of Will Szymkowski
Will Szymkowski
Flag for Canada asked on

Shortcut RunAs

Domain/Forest Functional Level 2003
All DC's 2003
Workstation OS Windows 7 Pro
Joined to Domain

I have a unique situation. We currently have a Kiosk machine that has been locked down via Group policy. We also have a generic user called "kioskuser" which Auto Logs on to the domain.

We do not want any users being able to "Log off" or "Shutdown" or "Switch User" so they have been disabled Via group policy. The only setting that they can do it "restart" the machine, which then auto logs on to the "kioskuser" upon startup.

Becuase we have locked down a bunch of settings with group policy, I would like to know if there is anyway to have a Shortcut on the desktop of "kioskuser" that can only be invoked from the RunAs command. Meaning, I do not want the "kioskuser" to be able to launch this Shortcut "switch user" without typing administrative credentials.

I have been testing this out by have not been able to get it working as needed.

If anyone has any ideas on this issue it would be greatly apprecaited.

Windows 7Windows Server 2003Active Directory

Avatar of undefined
Last Comment
Will Szymkowski

8/22/2022 - Mon

Maybe create a new group of people (exclude admin's) and apply this group policy

Computer Policy -> Administrative Templates -> System -> Logon

double-click on "Hide entry points for Fast User Switching" option and set it to Enabled.

Also, if you do "run as" it will always ask you to use current credentials or another.

not tested... but you could edit the shortcut security and only leave "adminstrators" group or the admin account on that computer.
Will Szymkowski

I have created a Shortcut for Switch User. This is on the desktop of the "Kioskuser" account. If i double click the shortcut, it does allow me to launch it without having to type in anything. Ultimately I would like to have it prompt for Username and Password or simply have to right click and "RunAs Administrator".
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Will Szymkowski

Thanks for the suggestion Francois but I have tried this already. Basically if you do not have permissions set on the shortcut, you cannot do anything with it. The shortcut icon is missing and also if you right click to do "Run As Administrator" it does not appear. It also does nothing when you double click it.
Kyle Abrahams

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Will Szymkowski

Thank you for the comment ged325, I have treid this and yet it works for requesting a password tied to a username but when you enter the credentials it appears to try and logout via the Event Viewer but the users session still stays active and does not logout.
Kyle Abrahams

This is the correct format:
runas /user:.\administrator "<command>"

do you have a command that will logoff the user?  I'm surprised that the user session would still be active after calling shutdown -l
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Will Szymkowski

Yeah I have been doing some searching/testing and it appears with the "internal" windows "shutdown" command for Windows 7. It does not appear to work when you are logged in as a User and try to logout with another users credentials. I believe this is due to being able to have multiple session in Windows 7.

You can be logged in as another user and log them out via Task Manager but not with different credentials.

So for the solution I have used Group Policy to remove the LogOff feature. I have then created the batch file using the following command...

runas /user:domain.com\kioskuser  "shutdown /l /f"
This prompts for the currently logged in user "password"

This works for us because this account auto logins to the domain b/c its a Kiosk. So no one using this machine knows the password other than admins.

Thanks for the help everyone!
Kyle Abrahams

I just found the logoff command which should work, but haven't tested it.
Will Szymkowski

If you don't mind please post and I will test in my environment.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Kyle Abrahams

local admin version:
runas /user:.\administartor "logoff kioskuser"

domain admin:
runas /user:domain.com\administrator "logoff kioskuser"
Will Szymkowski

Thanks for the update. I have tried this with the domain credentials and it did not work for me. Have you tried this?