Do you utilize the secondary logon (RunAs) when logged on as a user who has limited rights? Have you ever used
RunAs with Internet Explorer 6, then typed C: in the address bar to run an Explorer window with elevated privileges? Have you tried this with Internet Explorer 7(IE7)? If so, you may have noticed that Microsoft broke this feature in IE7.
Some programs, including Control Panel, the Printers folder and Microsoft Management Console utilities like Disk Manager, are started either directly or indirectly using the Windows Explorer Shell. The problem is that some of these programs require elevated privileges to run (aka admin rights) and the logged-on user is not an admin.
Admins using Windows XP had a quick workaround: launching the program via the RUNAS command. But sometimes you need to run several admin utilities at once, and using RUNAS for each of them individually is a pain in the neck.
An alternate method was to use Internet Explorer 6 with the RunAs command. After doing so, you'd type C: in the address bar, hit Enter and then Internet Explorer would convert itself into a Windows Explorer window running under admin privileges.
From there, everything you launched would be started using admin privileges. The command line for this is: runas/user:administrator "\"c:\program files\internet explorer\iexplore\" c:\\"
(Note: This method has worked for me, but some applications are just too picky for this workaround. So you may encounter scenarios where you still cannot get enough privileges to complete your work.)
Unfortunately, Microsoft has removed this wonderfully simple functionality from IE7. If you're an admin who needs this ability, but cannot log off the current user, there is only one default workaround I know of. Short of running all your desired windows and tools individually using the RunAs command, you can instead run the whole Explorer.exe shell under administrative rights to get your work done.
The basic concept is to use RunAs to start Task Manager, kill the explorer.exe task and restart the explorer.exe process (which would now be started with admin privileges), do the work needed, then kill and restart the explorer process using the original logged-on user.
Here's how to do it. While logged on as a normal user:
Start Task Manager using RunAs. You must do this first, because if you just start Task Manager and perform the steps below, you will not be able to quick the Explorer.exe running with Admin privileges later. Start>Run>Type: runas/user:machine or domain name\administrator taskmgr.exe.
Click the Processes tab. Select explorer.exe. Click End Process. Click Yes on the warning pop-up message. The entire desktop will disappear. You will still have any programs that you started including Task Manager.
Click the Programs tab. Click New Task. Type: explorer.exe. Click OK.
A Console window will appear and prompt you for the password. Minimize Task Manager, type the password and press Enter. The desktop will return, including the task bar, shortcuts, Startup folder items, etc. Perform necessary administrative tasks. For example: clicking Start, Settings and Control Panel will bring up control panel in administrative context.
When you're finished, expand the Task Manager window and kill the explorer.exe process. Then restart by choosing the Programs tab. Click New Task. Type: runas /user:machine or domain name\user taskmgr.exe. (Note: You should use the original logged-on user's account to restart the Explorer shell under their own privileges. Do this so the user does not retain the elevated privileges of the admin account from step 3.)
- Close Task Manager.
It's a lot of steps, but it's the only way I've found to get an Explorer window open with administrative privileges while allowing the user to stay logged on. If anyone has another workaround, let me know.
There's a nice script from Aaron Margosis that temporarily elevates a user's privileges, but relying on scripts is not a perfect solution. Unless you carry that script with you at all times, you'll more than likely hit a scenario (especially if you're a contractor) where you don't have the script handy. As such, it's better to know how to use the default options in Windows (tools, commands, etc.) that are available (in my humble opinion).
Note: You cannot just use RunAs against explorer.exe by default, because it will check to see if a version of Explorer is running and will exit if it detects one. You can work around this by setting the folder option to "Launch folder windows in a separate process." This is a per-user option, off by default, that needs to be set for the target user account.
That is, if you want to use RunAs to start explorer.exe as MyAdminAccount, then MyAdminAccount needs to have the "separate process" option set. Once this flag has been set, you can start explorer.exe with RunAs, or from your admin cmd shell. (I'm sure you can set this via Group Policy, but I've yet to go down that road.)
Note 2: If you're trying to perform a network-related task and still get the same credentials failure message, even when you perform the above steps, you may need to connect to that resource using a mapped network drive that was created using the RUNAS command. See the Microsoft knowledge base article.
Other RunAs references
Aaron Margosis covers the subject of RunAs extensively on his "Non-Admin" blog site, providing useful RunAs shortcuts and tips, advice on getting RunAs to run with Explorer and describing the MakeMeAdmin command, which provides temporary admin capability for your Limited User account.
In addition, there's a Microsoft KnowledgeBase site.
About the author: Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment, as well as an independent consultant who specializes in the design, implementation and management of Windows networks.