Jeff Vandervoort said:
I ran across a utility somewhere on the Internet that allows you to
run a script or batch file with alternate (e.g. administrative)
credentials on Win2K/XP without the user having to enter a password.
As I recall, it compiled the script into a .exe file so the user
would run the .exe and the .exe would run the script under the
secondary credentials. Of course, now that I need it, I can't find
any trace of it.
Anybody familiar with something like this that could give me a URL?
TIA
One solution is to use the Substitute User utility (su.exe) from the
resource kit; I haven't used it so I don't know if it obviates the need
to supply the password or allows you to specify it without getting
prompted for it. The other is to use the Task Scheduler to define a
task that runs under the other account; you have to specify the password
because obviously the scheduled task is supposed to run in the
background and not prompt you for a password. You could then either
right-click and Run that task immediately or just schedule it whenever
your want. See
http://www.jsiinc.com/SUBG/TIP3000/rh3063.htm for
details.
If you find this other utility to encode the password into an .exe to
use as a substitute for RunAs, be sure you protect it well. Hopefully
you realize that any program that could be encoded with the password for
an account in the Administrators group for your machine would then be a
skeleton key to unlock just about anything a thief would want to do on
your machine. You would need not only to place it in a directory where
only you had permissions to read that directory (and all files under it)
but you would also have to use EFS (encrypted file system) to ensure no
one can get it by moving your hard drive to another machine that loads a
different instance of Windows. Windows is only secure regarding its
permissions if *that* instance of Windows [registry] is used under which
the permissions were defined. EFS, however, won't be readable on
another machine unless you have exported the security certificate off
the original machine and imported them to the "thief" machine to then
decrypt and read the EFS-protected directories and files. If you don't
protect that program with the encoded password, you might as well as use
TweakUI to configure Windows 2000 to always logon under Administrator
without having to supply the password for the logon dialog - and leave
your system wide open for anyone to use.