runas question

  • Thread starter Thread starter djc
  • Start date Start date
D

djc

I am confused. The following is what I understood the runas command to do:

Allows you to launch a program using the credentials of a different user.
Mostly intended to run an administrative task with admin priveleges without
having to log off and then log back on. Its like the unix/linus su command.

question 1: can you also use it to log on with someone with lesser
credentials to make sure they 'can't' do something? Say I set a new file
share up and I want to verify userA cannot access it. I am currently logged
in as someone who can access it so I open up an instance of explorer.exe
using the runas command specifying userA. Using that instance I attempt to
browse to the share. I should be denied access right?

question 2: What are the 'boundaries' of the runas command. Meaning if I use
the runas command to open an instance of explorer.exe (or any other program)
do I continue to operate inside that program as that user? or is it just the
initial 'open' or 'connection' that uses the user specified in runas?

These questions are related to each other and I ask because I am getting
very unexpected results! So I want to fully understand what should be
happening.

anyone?
 
1. Windows Explorer is single-instance per desktop. The instance is always
owned by the owner of the desktop.

2. The question should be "What apps single-instance themselves?". I don't
have a canonical list. I do know that Explorer single-instances and cmd
does not - I do a "runas /u:foo cmd" when I need to run in another context.
 
Hi djc,

To use runas on Explorer you have to use taskmgr to kill the explorer shell first,
then use taskmgr to start Explorer using runas. For more information see the
following:

Step-by-Step Guide to Using Secondary Logon in Windows 2000
http://www.microsoft.com/windows2000/techinfo/planning/management/seclogon.asp

--
Carrie Garth, Microsoft MVP for Windows 2000
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- c x g

: From: "djc" <[email protected]>
: Newsgroups: microsoft.public.win2000.networking,microsoft.public.win2000.security
: Sent: Thursday, September 25, 2003 6:40 AM
: Subject: runas question
: Message ID " :
: I am confused. The following is what I understood the runas command to do:
:
: Allows you to launch a program using the credentials of a different user.
: Mostly intended to run an administrative task with admin priveleges without
: having to log off and then log back on. Its like the unix/linus su command.
:
: question 1: can you also use it to log on with someone with lesser
: credentials to make sure they 'can't' do something? Say I set a new file
: share up and I want to verify userA cannot access it. I am currently logged
: in as someone who can access it so I open up an instance of explorer.exe
: using the runas command specifying userA. Using that instance I attempt to
: browse to the share. I should be denied access right?
:
: question 2: What are the 'boundaries' of the runas command. Meaning if I use
: the runas command to open an instance of explorer.exe (or any other program)
: do I continue to operate inside that program as that user? or is it just the
: initial 'open' or 'connection' that uses the user specified in runas?
:
: These questions are related to each other and I ask because I am getting
: very unexpected results! So I want to fully understand what should be
: happening.
:
: anyone?
 
Thanks

Drew Cooper said:
1. Windows Explorer is single-instance per desktop. The instance is always
owned by the owner of the desktop.

2. The question should be "What apps single-instance themselves?". I don't
have a canonical list. I do know that Explorer single-instances and cmd
does not - I do a "runas /u:foo cmd" when I need to run in another context.

--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


djc said:
I am confused. The following is what I understood the runas command to do:

Allows you to launch a program using the credentials of a different user.
Mostly intended to run an administrative task with admin priveleges without
having to log off and then log back on. Its like the unix/linus su command.

question 1: can you also use it to log on with someone with lesser
credentials to make sure they 'can't' do something? Say I set a new file
share up and I want to verify userA cannot access it. I am currently logged
in as someone who can access it so I open up an instance of explorer.exe
using the runas command specifying userA. Using that instance I attempt to
browse to the share. I should be denied access right?

question 2: What are the 'boundaries' of the runas command. Meaning if I use
the runas command to open an instance of explorer.exe (or any other program)
do I continue to operate inside that program as that user? or is it just the
initial 'open' or 'connection' that uses the user specified in runas?

These questions are related to each other and I ask because I am getting
very unexpected results! So I want to fully understand what should be
happening.

anyone?
Click to expand...
Click to expand...
 
Back
Top