In the course of poking around the Local Security Policy, Xsetup, TweakUI and
possibly some other steps that I no longer remember; I have disabled the "Run
As" menu item. I'd now like to restore it but cannot find where this is done.
Any tips on where? ... and perhaps more importantly where I could have
looked for an answer?
If the computer is XP Pro try running rsop.msc on it to see if you have any
Group Policy settings configured that may be causing the problem. You can
logon as a local administrator and use gpedit.msc to manage Group Policy
settings. The link below also shows a registry setting to check though that
you could delete if it exists on your computer or try changing the value to
0 or 2 [offhand I don't know which is correct]. --- Steve
Thank you for the advice. I have finally taken the time to carefully sift
through the rsop.msc log and search for a possibly relevant policy. This has
not helped remedy my situation.
.... This post is long and detailed - I hope it will lead to some helpful
advice from a guru out there! ...
I have only limited understanding of Group Policy Objects and the editors
used for tweaking these. I had to google rsop.msc to understand what the
output of that tool is showing me. This confusion arose from the fact that
rsop.msc reports different status than either secpol.msc or services.msc as
well as the fact that I get some errors when running rsop.msc from a
Limited-User account and then of course, I cannot run either secpol.msc or
services.msc from a Limited-User account.
Before I describe those differences I should clarify a few details and
correct some misinformation I had posted earlier:
1. OS= Windows XP Pro + SP2
2. Peer-Peer workgroup environment - no active directory or domain servers
Administrator account:
---------------------
3. can access the RunAs action using Shift-RightClick on every shortcut
that I tested from within the Start menu.
4. can access the RunAs action using just a RightClick on most of the
shortcuts that I tested. The set of shortcuts this does NOT work for is the
{Microsoft Office Tools} program group + 3/15 from the {Adobe} program group
+ 41/42 shortcuts from the Control Panel group*.
( * There are other shortcuts in other program groups but enumerating these
seems irrelevant. Sufficient to say that the set is not JUST Microsoft apps
but includes a few other vendor's applications.)
5. Although the menu item for Run As appears as described above. When the
Administrator launches an application or control panel applet using the
Shift-RightClick-RunAs action I see the following error dialogs:
For a {Microsoft Office Tools} shortcut:
(X) The parameter is incorrect. [OK]
For a {Control Panel} shortcut:
(X) This file does not have a program associated with it for performing
this action. Create an association in the Folder Options control panel. [OK]
Limited-User account:
--------------------
6. can access the RunAs action using Shift-RightClick on those shortcuts
found in the {Microsoft Office Tools} program group + 3/15 from the {Adobe}
program group + 41/42 shortcuts from the Control Panel group.
7. I verified the above (item 5) using a newly created limited-user account
in addition to the original user account for which I first observed this
problem.
8. If I change the original users's account type from Limited-User to
Administrator then the behaviour becomes identical to that described at 3 & 4
above. This suggests to me that there is nothing in a User's profile (or the
default user profile) that is at the root of this problem.
9. Although the menu item for Run As appears as described above. When the
Limited-User launches an application or control panel applet using the
Shift-RightClick-RunAs action I see the following error dialogs:
For a {Microsoft Office Tools} shortcut:
(X) The requested lookup key was not found in any active activation
context. [OK]
For a {Control Panel} shortcut:
(X) This file does not have a program associated with it for performing
this action. Create an association in the Folder Options control panel. [OK]
10. The following registry keys exist with Type= REG_SZ & Data= "%1" %*
[HKEY_CLASSES_ROOT\*\shell\runas\command]
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
[HKEY_CLASSES_ROOT\Folder\shell\runas\command]
10a) By deleting the above four keys the behaviour described at item (4.)
above is lost and I think that this is as it should be. i.e. requiring
Shift-RightClick to access RunAs and not simply RightClick.
11. The following registry key does NOT exist:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\HideRunAsVerb
Note: I have tried creating this key and setting it to 0 but that has no
effect either.
12. rsop.msc vs secpol.msc
======== ==========
The output from rsop.msc does not agree with the output from secpol.msc
The detail is too voluminous to explain here but sufficient to say that:
12a) Using Administrator on My-Workstation-Name; rsop.msc reports for every
entry under
"Computer Configuration/Windows Settings/Security Settings/"
= Not defined
Specifically for the entry that I think may be relevant to this isssue:
CC/WS/SS/Local Policies/User Rights Assignment/Impersonate a client after
authentication
= Not defined
12b) secpol.msc reports meaningful settings for entries under
"Security Settings/Account Policies/"
"Security Settings/Local Policies/"
and no policy defined for entries under
"Security Settings/Public Key Policies/"
"Security Settings/Software Restriction Policies/"
"Security Settings/IP Security Policies on Local Computer/"
Specifically for the entry that I think may be relevant to this isssue:
SS/Local Policies/User Rights Assignment/Impersonate a client after
authentication
= ASPNET,Administrators,SERVICE
13. rsop.msc vs services.msc
======== ============
The output from rsop.msc does not agree with the output from services.msc
The detail is too voluminous to explain here but sufficient to say that:
13a) Using Administrator on My-Workstation-Name; rsop.msc reports for every
entry under
"Computer Configuration/Windows Settings/System Services/"
StartUp= Not defined & Permission= Not defined
13b) services.msc reports meaningful settings for entries under
"Services (Local)"
Specifically for the entry that I think may be relevant to this isssue:
"Services (Local)/Secondary Logon"
Status=Started & Startup Type = Automatic & Log On As = Local System
14. rsop.msc run as Limited-User on My-Workstation-Name
It may not be relevant but the Limited user account sees
"Error - Access is denied." for the following:
Location - "\\MANDY\admin$\System32\GroupPolicy\Adm\conf.adm"
Location - "\\MANDY\admin$\System32\GroupPolicy\Adm\wmplayer.adm"
Location - "\\MANDY\admin$\System32\GroupPolicy\Adm\inetres.adm"
Location - "\\MANDY\admin$\System32\GroupPolicy\Adm\system.adm"
14a) The comments for 13a) and 13b) apply equally well for rsop log results
when run as Limited-User. I cannot run secpol.msc or services.msc as Limited
user.
So what I conclude from all the above is that the Group Policy and the
Services that I think are correctly configured using secpol.msc and
services.msc are not taking effect as intended. What I don't understand is
what I need to do to make them take effect (and hence show up in the log of
rsop.msc)
There seems to be a lot of help for understanding GPO's in a Domain
Environment but very little help for the Workgroup Environment.
Thank you for considering my (verbose) questions. I have decided that it is
time for a clean install of Windows XP Professional and so I do not expect
the above problem to occur on this machine again.
