none
Policy for Disabling "Run As"?

    Question

  • Hello,

    I manage a small domain with Windows 10 machines supported by both a WIN2k8 and WIN2012 Domain Controllers.  Our upgrade to Windows 10 was in the form of a fresh install using a pre-configured baseline.  From this baseline, I am able to control what features or security postures we require.  Coupled with this baseline were some pre-selected policies by the issuing group, which I have applied to the OU containing all of our Windows 10 Workstations. 

    One of the various things disabled is the "Run As" command, meaning I can't hold shift and right click on something (like Powershell) and "run as" an administrative account for the purposes of remote management.  As it is not always possible to switch between a user and an administrator account on the workstation in question, you can see how this would be frustrating.

    For a small number of select workstations, I wish to enable this functionality.  I'm giving them their own OU with a policy that undoes whichever setting the pre-configured baseline's policies does to remove "Run As".

    I found this thread giving some guidance:  https://social.technet.microsoft.com/Forums/windows/en-US/3673b2cd-e449-48fb-b936-678db569f6af/disable-run-as-different-user-using-gpo?forum=w7itprosecurity

    It seems to indicate this policy is in control of the feature:  User Configuration \ Windows Components \ Windows Explorer \ Do Not Request Alternate Credentials

    Unfortunately for me, that doesn't appear to be the case - that is "Not Configured" in my version of the policy, yet I can't "Run As".

    Digging around in the extant policies, I did find one other promising thing - in "Computer Configuration \ Administrative Templates \ Extra Registry Settings" I found this line:  Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs

    I recognize that as a registry key path, but I'm unable to find a policy that matches it.  Looking under "Administrative Templates \ All Settings" doesn't profit anything - I even tried to sort by State to see if something either Enabled or Disabled would jump out at me, but to no avail.

    Having run out of ideas (and advice on Google) I turn to the more experienced minds here:  How on earth do I allow myself the "Run As" command?

    Thanks,

    M.

    Monday, March 13, 2017 3:19 PM

All replies