none
Win10 1607 anniversary update and new Win2016 RSAT run as different users / elevated user to trusted domain authentication failures

    Question

  • How do I get "Run As a Different User" to work when managing trusted domains different than my computer's domain?  I am seeing both DNSMGMT.MSC and COMPMGMT.MSC fail due to access denied errors on Windows 10 v1607 (anniversary update).  These tools worked from Windows 10 RTM and also they continue to work from Windows 7 SP1. 

    Configuation: 
     ::  Win10 v1607 computer in domain1
     ::  Win7 SP1 computer in domain1
     ::  domain1 is a forest containing both domain1 and domain2.
     ::  domain1 trusts domain3, where domain3 is in a different forest than domain1.
     ::  domain1\user1 is a local administrator of Win10 and Win7 computers.
     ::  domain2\user2 is a domain administrator of domain2
     ::  domain3\user3 is a domain administrator of domain3
     ::  domain1\userX is a domain administrator in domain1

    Win10 Results:
     ::  domain1\user1 cannot Run as different user domain2\user2 *FAIL*
     ::  domain1\user1 cannot Run as different user domain3\user3 *FAIL*
     ::  domain1\user1 able to Run as a different user domain1\userX *SUCCESS*

    Win7 Results:
     ::  domain1\user1 able to Run as different user domain2\user2 *SUCCESS*
     ::  domain1\user1 able to Run as different user domain3\user3 *SUCCESS*
     ::  domain1\user1 able to Run as a different user domain1\userX *SUCCESS*

    Background: An article from Redmond Magazine (https://redmondmag.com/articles/2017/01/04/remote-server-admin-tools-dependency.aspx) reminded me I should carefully look through Microsoft's documentation regarding support for RSAT on Windows 10. That brought me to a TechNet blog (https://blogs.technet.microsoft.com/askpfeplat/2017/01/03/remote-server-administration-tools-for-windows-10/) and the RSAT download page (https://support.microsoft.com/en-us/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems) both of which claim that I should be able to use the RSAT DNSMGMT.MSC tool to manage Windows 2008 thru 2016 as shown in the provided support matrix (I am focusing on DNS management, but the "Run as a different user" access denied failure symptom I have experienced occurs with other tools as well). 

    Can anyone at Microsoft acknowledge this repeatable issue? (This question was originally posted in the social technet "Windows 10 IT Pro  >  Windows 10 Security" forum but the forum moderator suggested I re-post here.  The original (unanswered) post was: "https://social.technet.microsoft.com/Forums/windows/en-US/3eeb72c9-af27-44ec-8365-3060bd1a9f54/win10-1607-anniversary-update-rsat-runas-elevated-trusted-domain-authentication-failures?forum=win10itprosecurity".) 


    Thank you.


    George Perkins

    Thursday, March 16, 2017 1:20 PM

Answers

  • Solution: All I needed to do was add the trusted domains’ Domain Admin user accounts to my Windows 10 local Administrators group.  (In the example above, I added domain2\user2 and domain3\user3 to local Administrators group on the Windows 10 computer.domain1). 

    I tested on both a Windows 10 and Windows 7 computer and found that this requirement is the same for both editions of Windows... I had made this change to my old Windows 7 computer long ago (set it and forget it scenario). 

    So this is a slap-to-the-forehead “D’oh!” moment.  It did not help that Windows 10 contains extensive enhancements to User Account Control (UAC) and these changes were suspected as the cause by Microsoft Technical Support. Nobody considered the obvious. However, to my defense, none of the Microsoft technical support articles or RSAT help documentation identify this requirement. 


    George Perkins

    Monday, June 12, 2017 6:41 PM

All replies

  • Additional information:

    AD domain1 schema is Win2012r2

    AD domain1 + domain2 functional level is 2003 (same forest)

    AD domain3 schema and functional level is Win2003 (trusted)

    FYI: Win10 just applied March updates (included cumulative KB4013429) and restarted. Still having same problem.


    George Perkins

    Thursday, March 16, 2017 1:23 PM
  • Hi George,
    Is the trust configured as one-way or two-way between domain1 and domain3? If the trust is one-way, then I would think this behavior should be expected. Domain1 trusts domain3 but domain3 doesn't trust domain1. You're trying to use runas as a domain3 user from a domain1 computer. That should mean that in order to authenticate the domain3 user, the authentication request has to flow from domain1 to domain3, and since domain3 doesn't trust domain1 it could fail.
    If that is the case, you could have a try to set up two-way trust and see if it works.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 17, 2017 7:41 AM
    Moderator
  • Two-way trusts in all cases.

    As I indicated, "run as a different user" works just fine on Windows 7.  This seems to be something unique with Windows 10 and the new RSAT for Windows 10 and Server 2016.

    Another clue/symptom is that UAC on Windows 10 always prompts for elevation when you launch an RSAT component using "run as a different user" if the user is in a foreign trusted domain. Windows 7 does not prompt. This behavior is intuitive, since the prompt occurs only when the "different user" is a domain admin for a domain different from the computer domain. However, no such prompt occurs in Windows 7 UAC. 


    George Perkins

    Friday, March 17, 2017 1:09 PM
  • Hi George,
    If the problem is only happening on windows 10 v1607, I would suggest to use network monitor tool to capture the details on windows 10 and windows 7 client and see where the difference are. You could download this tool from: https://www.microsoft.com/en-sg/download/details.aspx?id=4865
    In addition, you could check if UAC is disabled on windows 10 regarding promotion for elevation problem.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 22, 2017 1:55 AM
    Moderator
  • As I have indicated, this happens on multiple Win10 computers in our environment.

    As a first step I attempted to disable UAC on the Win10 computer and restarted. I launched other elevated-required applications and did not get the UAC elevation prompt; so I know the UAC setting had taken effect.

    Then I tried to launch DNSMGMT.MSC using the Run As A Different user option, specifying Domain2/User2. But I still got the UAC elevation prompt! Then the access denied failure.  I think there is something wrong with UAC when running RSAT.

    Here are screenshots:


    George Perkins

    Monday, March 27, 2017 1:37 PM
  • Hi George,

    Thank you for the test and share, what I suggest is to fully update windows 10 and windows server 2016 which might fix some problems.

    In addition, open up a case with Microsoft Technical Support to see if they have more information about this problem.

    https://support.microsoft.com/en-us/contactus/?ws=support

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 30, 2017 4:44 AM
    Moderator
  • Windows 10 is fully updated with all updates from Microsoft. We do not have Server 2016 in our environment (yet). The RSAT is the latest download for Windows 10 and is a requirement to run after v1607 anniversary update.

    I originally posted this to Windows 10 forums, that moderator sent me to this Directory Services forum, now you seem to keep suggesting I post the question elsewhere.

    Who at Microsoft  will take ownership of this repeatable issue? 


    George Perkins

    Thursday, March 30, 2017 2:20 PM
  • Hi George,
    I am sorry for the inconvenience which the problem brought to you. What I suggest is to directly call Microsoft Technical Support team, they will assistant you remotely on fixing the problem, and we will also report it to related team, if we have any information or updates, you will know as soon as possible. Thank you for the understanding.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 3, 2017 5:10 AM
    Moderator
  • I have opened a case #117041015581471.

    George Perkins

    Monday, April 10, 2017 8:35 PM
  • Microsoft technical support has re-created the problem and is troubleshooting to find a solution.

    George Perkins

    Thursday, April 20, 2017 4:22 PM
  • Hello George!

    Did you ever get a solution to this problem? If so, would you be able to let us know?

    Thanks!
    Mark

    Monday, June 12, 2017 3:23 AM
  • Solution: All I needed to do was add the trusted domains’ Domain Admin user accounts to my Windows 10 local Administrators group.  (In the example above, I added domain2\user2 and domain3\user3 to local Administrators group on the Windows 10 computer.domain1). 

    I tested on both a Windows 10 and Windows 7 computer and found that this requirement is the same for both editions of Windows... I had made this change to my old Windows 7 computer long ago (set it and forget it scenario). 

    So this is a slap-to-the-forehead “D’oh!” moment.  It did not help that Windows 10 contains extensive enhancements to User Account Control (UAC) and these changes were suspected as the cause by Microsoft Technical Support. Nobody considered the obvious. However, to my defense, none of the Microsoft technical support articles or RSAT help documentation identify this requirement. 


    George Perkins

    Monday, June 12, 2017 6:41 PM