Re: enable "runas" under account, without log into workstations ?
From: mmac (no_at_thank.you)
Date: 11/20/04
- Next message: David: "Re: Failover server configuration"
- Previous message: Steven L Umbach: "Re: enable "runas" under account, without log into workstations ?"
- In reply to: Steven L Umbach: "Re: enable "runas" under account, without log into workstations ?"
- Next in thread: Alan D.: "Disabling logon"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 20 Nov 2004 00:12:31 -0800
You are right on both counts. I have used the tools from sysinternals to
make programs work with some success but QuickBooks was such a pain to make
work only to find that the only reason it's was necessary to add alll thoise
permissions was because QB would simply write a key to see if it could and
then it deletes it. It does this a dozen times to different keys and then
never tries again after the intial startup. What a pita! and for nothing!
and QB support is silent on the matter.
I know that some programmers arent able to address these issued because
of the compiler they use or outright inexperience, but I wouldn't think
Intuit would qualify for that distinction. They are doing it on purpose.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:Onfs%23LtzEHA.1452@TK2MSFTNGP11.phx.gbl...
> Understood. It is too bad that there are still too many programs that
> require administrator access to run. If you are lucky they may run as a
> regular user with some permissions mods to program files folder, machine
> registry key for the application, and maybe the all user's profile.
> SysInternals make a couple of tools called filemon and regmon that can
> help with tracking down permissions problems if you logon as regular user
> and invoke them with runas and then looking in their log files for "denied
> access" when application launch fails for places to modify permissions and
> try again. People have told me that Quicken is not too helpful in
> resolving the program. --- Steve
>
>
> "mmac" <no@thank.you> wrote in message
> news:O1PdF$szEHA.824@TK2MSFTNGP11.phx.gbl...
>> yes, item 1 states that you create the account as an admin.
>> 2. thats also true, this would be used as a runas command for the non
>> admins. The big point was that we didn't want to add the user to the
>> admins group, just be able to use the account for the single program that
>> won't run unless on an admin account. Like Quickbooks, Printmaster, and
>> many other programs not intended for a file secured environment.
>> The downside of this approach is if the user is smart enough he can
>> figiure out that the account can be used for other programs as well. We
>> just hope he doesn't figure it out.
>>
>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> news:%23yV3X0szEHA.2636@TK2MSFTNGP11.phx.gbl...
>>>I assume for this to work the user able2run needs to be added to the
>>>administrators group.
>>>
>>> The other thing to keep in mind is that a user does not need to logon as
>>> an administrator to exploit the power of the account if the user knows
>>> administrator credentials. For instance the command [ runas
>>> /user:able2run "net localgroup administrators /add myaccount" ] would
>>> prompt the user for the credentials for able2run and then add the users
>>> account to the local administrators group. Granted the average user may
>>> not know how to do such but it is something to be aware of. --- Steve
>>>
>>>
>>> "mmac" <no@thank.you> wrote in message
>>> news:eFRI8TrzEHA.2012@TK2MSFTNGP15.phx.gbl...
>>>>I got the following in response to a similar problem, hope it helps.
>>>>
>>>> 1. Click Start / Control Panel / User Accounts / Create a New Account
>>>> /
>>>> Name the Account: "able2play" (without quotes) / Next Pick:
>>>> "Computer-
>>>> Administrator" & Click "Create Account";
>>>>
>>>> 2. Click on your new able2run account and Create a Password for it;
>>>>
>>>> 3. When your limited user wants to run a program that requires
>>>> Administrator
>>>> privileges they can Right-Click the shortcut to that program / Click
>>>> Run As... /
>>>> "The Following User": able2run and enter the password. Simple as
>>>> that!
>>>>
>>>> I know what you're thinking: That defeats the purpose of the limited
>>>> user account.
>>>> To secure the "able2run" account so that it can't be used to logon to
>>>> the computer:
>>>>
>>>> First you can hide the account so that it won't show up on the Welcome
>>>> Screen:
>>>> http://www.dougknox.com/xp/scripts_desc/xp_hide_users.htm (thanks
>>>> Doug!)
>>>>
>>>> Next add a shortcut to the windows logoff routine into the RUN key of
>>>> the
>>>> able2run registry.
>>>> This is a one shot attempt that must be done from within the account.
>>>> Once done you can't gain access to the account again so get it right
>>>> the first time
>>>>
>>>> 4. Logon to the "able2run" account,
>>>>
>>>> 5. Click Start / Run / regedt32 / browse to:
>>>> [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
>>>> Click Edit / New / String value / ValueName: logoff / Value data:
>>>> logoff
>>>>
>>>> From now on, if anyone logs on with the "able2run" account, the
>>>> computer will log
>>>> them off immediately. They will not gain access to an administrators
>>>> desktop! :-)
>>>>
>>>> "Hernán Castelo" <bajopalabra@hotmail.com> wrote in message
>>>> news:u48577ozEHA.2636@TK2MSFTNGP11.phx.gbl...
>>>>> hi
>>>>> i need to set up an account
>>>>> just for execute an .exe vía "RunAs" command
>>>>> but preventing to start windows
>>>>> with that account on the network
>>>>>
>>>>> its possible ?
>>>>>
>>>>> --
>>>>> atte,
>>>>> Hernán Castelo
>>>>> SGA - UTN - FRBA
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
- Next message: David: "Re: Failover server configuration"
- Previous message: Steven L Umbach: "Re: enable "runas" under account, without log into workstations ?"
- In reply to: Steven L Umbach: "Re: enable "runas" under account, without log into workstations ?"
- Next in thread: Alan D.: "Disabling logon"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
