Problem solve Get help with specific problems with your technologies, process and projects.

Step 5: Caveats

Administrators need admin privileges, but not all the time. Learn how to work securely by only elevating your privileges as necessary.

There are some times when RunAs doesn't work.

  • Some apps reuse existing instances
    • Windows Explorer
    • Microsoft Office Word
  • Some apps get started through the shell
    • ShellExecute[Ex]
    • DDE
  • Current version of WindowsUpdate!
  • And Microsoft Update!

Trying to run Windows Explorer with different privileges is often a problem because Explorer only likes to run one instance on the desktop and any request will default to an existing instance. There are some ways around this:

  1. Use Internet Explorer, or do run as then what you do is start as admin and then type a local address. Then you'll be running as admin.
  2. Set the flag that lets Windows Explorer run multiple instances - not designed to support RunAs, but it does work. The trick is that the option has to be set as the target user. The admin account has to have this option set.

There are also some issues related to using the local admin account:

  • No access to domain resources.
  • Different profile settings
  • Some apps assume that the installer is the user - This information is stored in hkey_current_user. If the app is used with a different account there may be settings missing and the app will fail to work
  • Per-user Policy settings - Much of policy is hkey_current_user, which is locked down. You need to be admin in current account.
  • Power Options applet is per user and per machine.

The solution to some of these problems is to run something as you but with your admin privileges. As mentioned previously, MakeMeAdmin can help with this.

Elevating privileges for administrators

 Home: Introduction
 Step 1: RunAs dialog
 Step 2: RunAs command line
 Step 3: Differentiating security levels
 Step 4: MakeMeAdmin
 Step 5: Caveats
 Step 6: Resources

Aaron Margosis is a Senior Consultant with Microsoft Consulting Services, focusing on US Federal government customers. He specializes in application development on Microsoft platforms and products with an emphasis on application and platform security. Aaron has blogged extensively about how to run Windows as a non-admin, and created the popular MakeMeAdmin and PrivBar utilities. Aaron holds Bachelors and Masters Degrees from the University of Virginia, and calls Arlington, VA, home.
Copyright 2005 TechTarget

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.