Tip

Use the RUNAS Command for administrative tasks

Windows 2000 features a command-line function, RUNAS, which allows a user to execute another program with a different user's credentials. This can be used as a way to provide local users with certain administrative functions in a noninteractive way, without actually granting them the rights to do so.

  1. Create a specially-created account that can perform the needed administrative tasks, but has no local or network logon privileges (to prevent users from logging in as that user and tampering). The desktop user should know the password for this account, but should not be able to change it, log on with it, or use the account in any other way.

  2. Create a batch file or other executable that contains the needed commands, and place it in a special folder. If you want, you can create a folder that has the permissions described below and allow all children of that folder to inherit the same permissions automatically.

  3. Make sure the access permissions on the file in question consist of the following:

    1. The INTERACTIVE system account, to allow RUNAS to operate on it.
    2. The special user account listed above.

  4. Keep the ownership on the file with the master Administrator account. Also make sure that the local user has NO privileges with the file in question, to keep users from reading it or tampering with it. For the best results, you can hide all of the files in question in a folder that is off-limits to the

    Requires Free Membership to View

  1. desktop user.

  2. Create another batch file or shortcut to execute the first command or batch file, which should be executable but not editable by local users. The command in this batch file should follow this form:

    RUNAS /USER:<username> <program>

    where <username> is the name of the user account described above and <program> is the path to the batch file or executable described in step 2. The path to the executable must be completely enumerated for RUNAS to work correctly; i.e., C:\Folder\filename.bat, not just filename.bat.

When the second batch file is run, the user will be prompted for the password to the special account that RUNAS uses. The password cannot be passed as a command-line variable for security reasons.


Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.


This was first published in September 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.