Many programs cannot be run properly in any context other than the administrator account or an account with administrator privileges. Because of this, administrators often face this dilemma: Should they give their users admin privileges, in spite of the possible security hazards and headaches this may cause, or should they try to find another program that will work properly outside of the administrator context, a move which could cause lost productivity and possibly other problems?
It is possible to run a program from another user's context, but the way Windows 2000 and XP Professional implement this feature requires that the user know the password for the other account. This makes it difficult to run the program securely. If you create a new administrator-level account that has no local login permissions, then the program will not be able to run in the first place and that certainly defeats the purpose!
The solution involves the use of Windows Script Host to create a script that can run the program in the appropriate context and provide the password non-interactively. Here is a sample script:
set WshShell = CreateObject("WScript.Shell")
WshShell.Run "runas /user:Serdar ""e:test.bat"""
In this example, the user is Serdar and the file to run is e:test.bat. (Note the use of double quotes in the WshShell.Run command to pass quotes on to the command interpreter.)
To prevent users from reading the file directly and learning the password, the script can be encoded using Microsoft's Script Encoder tool. Be sure to rename the encoded script with a .VBE extension rather than .VBS. (Note that this will not prevent a very determined user from finding the password, but it will certainly stop someone from casually learning it.) Using permissions to prevent users from reading the file unfortunately also prevents it from being run by the VBScript interpreter.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in September 2003