Step 5: Caveats

Administrators need admin privileges, but not all the time. Learn how to work securely by only elevating your privileges as necessary.

This Content Component encountered an error

There are some times when RunAs doesn't work.

  • Some apps reuse existing instances
    • Windows Explorer
    • Microsoft Office Word
  • Some apps get started through the shell
    • ShellExecute[Ex]
    • DDE
  • Current version of WindowsUpdate!
  • And Microsoft Update!

Trying to run Windows Explorer with different privileges is often a problem because Explorer only likes to run one instance on the desktop and any request will default to an existing instance. There are some ways around this:

  1. Use Internet Explorer, or do run as then what you do is start as admin and then type a local address. Then you'll be running as admin.
  2. Set the flag that lets Windows Explorer run multiple instances - not designed to support RunAs, but it does work. The trick is that the option has to be set as the target user. The admin account has to have this option set.

There are also some issues related to using the local admin account:

  • No access to domain resources.
  • Different profile settings
  • Some apps assume that the installer is the user - This information is stored in hkey_current_user. If the app is used with a different account there may be settings missing and the app will fail to work
  • Per-user Policy settings - Much of policy is hkey_current_user, which is locked down. You need to be admin in current account.
  • Power Options applet is per user and per machine.

The solution to some of these problems is to run something as you but with your admin privileges. As mentioned previously, MakeMeAdmin can help with this.


Elevating privileges for administrators

 Home: Introduction
 Step 1: RunAs dialog
 Step 2: RunAs command line
 Step 3: Differentiating security levels
 Step 4: MakeMeAdmin
 Step 5: Caveats
 Step 6: Resources

ABOUT THE AUTHOR:
 
Aaron Margosis is a Senior Consultant with Microsoft Consulting Services, focusing on US Federal government customers. He specializes in application development on Microsoft platforms and products with an emphasis on application and platform security. Aaron has blogged extensively about how to run Windows as a non-admin, and created the popular MakeMeAdmin and PrivBar utilities. Aaron holds Bachelors and Masters Degrees from the University of Virginia, and calls Arlington, VA, home.
Copyright 2005 TechTarget
 

This was first published in April 2006
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close