uac - Running RSAT Tools as another user using Powershell

06
2014-04
  • Langhard

    What I try to accomplish is running some RSAT Tools out of a Powershell-Script as another user (Domain-Admin).

    Here is my run code:

    Start-Process -FilePath "C:\Windows\system32\mmc.exe" -ArgumentList "C:\Windows\system32\gpmc.msc" -Credential (Get-Credential -Credential MYDOMAIN\myadminuser)

    And what I get is an error which says: this command can only be initiated with elevated privileges. Now that tells me that I had to run the script using an admin-user becaus of UAC limitations, which is exactly not what I try to accomplish.

    Has anybody a helping input for me?

    Thanks!

    EDIT

    To make it more clear I attached the whole script.

    $title = "Windows 8.1 RSAT Tools"
$message = "Verwaltungskonsole"

$ad = New-Object System.Management.Automation.Host.ChoiceDescription "&AD Verwaltung", `
"Active Directory-Benutzer und -Computer"

$gpo = New-Object System.Management.Automation.Host.ChoiceDescription "&GPO Verwaltung", `
"Gruppenrichtlinienverwaltung"

$options = [System.Management.Automation.Host.ChoiceDescription[]]($ad, $gpo)

$result = $host.ui.PromptForChoice($title, $message, $options, 0) 

switch ($result)
{
    0 
    {
    Start-Process -Verb RunAs -FilePath "C:\windows\system32\mmc.exe" -ArgumentList "C:\windows\system32\dsa.msc" -Credential (Get-Credential -Credential MYDOMAIN\myadminuser)
    }
    1 
    {
    Start-Process -Verb RunAs -FilePath "C:\windows\system32\mmc.exe" -ArgumentList "C:\windows\system32\gpmc.msc" -Credential (Get-Credential -Credential MYDOMAIN\myadminuser)
    }
}
    • Answers
  • nohwnd

    This may boil down to two problems:

    • The tool actually needs to run elevated, because otherwise it is not allowed to do the changes it needs to do. This is usually the case when you run the tool on the machine locally and do changes specific to that machine. In that case you need to elevate the console before you run the command. This can be done directly from powershell using: 

      $newProcess = New-Object System.Diagnostics.ProcessStartInfo "powershell";
#Indicate that the process should be elevated
$newProcess.Verb = "runas";
#Start the new process
[System.Diagnostics.Process]::Start($newProcess) | Out-Null

    Source here.

    • The tool is improperly configured and only running as the appropriate user would be enough to do the changes you require. This is usually the case when managing remote server by the tool. In that case you may modify how the command is started (asAdmin, asInvoke, asHighest) using application compatibility toolkit (download) and applying RunAsInvoker fix to the executable.
      • Open the Compatibility administrator
      • create new fix in the current database
      • set the path to the executable
      • from the list of the fixes select RunAsInvoker, click preferences and in the module editBox type * and click add
      • save the database and install it by right clicking it

    Unfortunately this won't work for MMC.


    • Related Question

    windows vista - "run as administrator" in standard user account
  • 7wp

    how can I run command prompt as administrator from a standard user account? The "run as" does not appear to work, neither does the CTRL-SHIFT-ENTER trick. I think it is because I am logged in as a standard privilaged account. Is it possoible to "run as administrator" from this type of a restricted account? I have the administrator password, I just need to be prompted somehow.


    • Related Answers
  • Chris Thompson

    If you type 

    cmd

    into the search box after clickining on the Windows Orb, right click on the program and select 

    Run as Administrator

    It will prompt you for the admin password and then start the command processor as admin and in the c:\windows\system32 directory

  • swatkat

    If you are using Windows XP/2000, then check whether "Run As" or "Secondary Logon" services are started in your system. See this page for more info:
    http://support.microsoft.com/kb/294676

    If you are using Windows Vista and if "Run As" does not seem to work, then you can try an app called "ShellRunas":
    http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx

  • William Hilsum

    I don't know why it isn't there, but I have not used that feature since XP so not sure if that is an error or on purpose.

    If I was you, I would do the following:

    1. Open Notepad

    2. Paste the following:

      runas /user:administrator cmd

    3. Save this is on your desktop as anything with the extension of .cmd or .bat

    4. Run this and you should be able to start command prompt as the user, after typing the password.

    (assuming user Administrator, change to whatever name you need!)

  • djangofan

    If you right-click on the command prompt icon in windows the second item in the right-click-menu is "Run as.." Its easier than doing it from the command line as the previous answer suggests.

  • 7wp

    I figured out that the reason it was not prompting me for the password was because I had all of the other administrator accounts deactivated... so I just had to activate one of the administrator accounts using net user admin /active:yes

  • Jan

    Maybe UAC is turned off, had it on a W7 pc. Take a look at RunasSpc (www.robotronic.de) if you want a limited user run a program/installer with adminrights without him/her knowing the password. Works for me fabulous with Ninite installer (ninite.com) on XP and W7