none
How to run MMC/RSAT as non-admin user RRS feed

  • Question

  • In our environment (2008R2/2012 AD Domain, w/ Win7/8 Enterprise), we logon to our systems with unprivileged accounts. We avoid using domain admin credentials entirely, instead relying on different privileged accounts for various categories of workstations and servers (they are basically compartmentalized by function and risk). System admins then run needed tools elevated to whichever account is needed for the target system. The accounts that have admin privs on the target system are not privileged on the desktop on which the tool is run. Prior to Windows 8, this has worked without any problems, though in some cases, steps were required to make the "Run as a different user" option available in the right-click menus used to launch the tools.

    However, on Windows 8.1, attempts to work in this way fail. Ultimately, we are unable to run the various RSAT tools without providing an account that has admin privileges on the local desktop to run the MMC. I've done a good bit of googling (er.. binging) and have been unable to find any explanation or guidance on how to get this to work.

    I can probably add all the server admin accounts to the local Administrators groups on the admin workstations and/or terminal servers and get this to work, but that's undesirable from a security perspective. We developed this scheme to segment our privileged credentials to improve domain security by thwarting an attackers ability to move laterally through the domain in the event a system is compromised. e.g. if a user workstation or laptop is compromised, privileged credentials that might be present on that system would not allow privileged access to any system in a different risk category ("compartment" in our vernacular).

    Does anyone have any idea what I'm missing? This is issue is currently holding up broader adoption of Windows 8.1+ and I really need to get this working.

    Thanks for any insight.


    Marty Wise, IT/CNI Thomas Jefferson National Accelerator Facility Newport News, Virgina


    • Edited by Marty Wise Wednesday, July 8, 2015 10:45 AM
    Wednesday, July 8, 2015 10:43 AM

Answers

  • Hi,

    If you were prompted as no enough privileges, you need to grant privileges to current users to run these programs. I am supposing you mean “server operator” account in your thread. To confirm that if server operator has privileges to rum RSAT on Windows 8.1, I need time to reproduce a domain environment with Windows 8 and 8.1 and perform a test. If I found something changed between Windows 8 and 8.1. I might inform you that in this thread.

    Minimize user permissions is always important for security consideration, if your environment doesn’t allow system operator/admin has full local administrator privileges, we need to compare both account and fractionize the privileges by using accesschk and NT Rights Privileges.

    https://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

    https://gallery.technet.microsoft.com/Get-Set-Remove-NT-Rights-0a8a36db

    Here is a sample of server operator account

    Personally, I prefer adding server admin to local administrator group (for certain computers maybe) since this option might mess your whole Privilege system and it will be disastrous.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 13, 2015 1:42 AM
    Moderator

All replies

  • Hi,

    If you were prompted as no enough privileges, you need to grant privileges to current users to run these programs. I am supposing you mean “server operator” account in your thread. To confirm that if server operator has privileges to rum RSAT on Windows 8.1, I need time to reproduce a domain environment with Windows 8 and 8.1 and perform a test. If I found something changed between Windows 8 and 8.1. I might inform you that in this thread.

    Minimize user permissions is always important for security consideration, if your environment doesn’t allow system operator/admin has full local administrator privileges, we need to compare both account and fractionize the privileges by using accesschk and NT Rights Privileges.

    https://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

    https://gallery.technet.microsoft.com/Get-Set-Remove-NT-Rights-0a8a36db

    Here is a sample of server operator account

    Personally, I prefer adding server admin to local administrator group (for certain computers maybe) since this option might mess your whole Privilege system and it will be disastrous.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, July 13, 2015 1:42 AM
    Moderator
  • > If you were prompted as no enough privileges, you need to grant privileges to current users to
    > run these programs. I am supposing you mean “server operator” account in your thread.

    No, we do not use the Server Operator group. Instead, we create our own Global Group in active directory to be used for each type of server. For example, there is a Print-ServerAdmins group that is added via group policy to the Administrators group on our print server systems. To this group, we add the smart card credentials for administrators who manage print servers. There is a similar, but separate group for PKI-ServerAdmins, etc. In this way, only admins who need access to various services actually have it.

    > https://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
    > https://gallery.technet.microsoft.com/Get-Set-Remove-NT-Rights-0a8a36db

    I have not yet had a chance to check these in detail (busy with 2003 EOL, Win10RTM, big patch Tuesday -- you know, typical Windows Admin stuff lol. But I am eager to do so. I am vaguely aware of these tools, but I think this actually will show me the relevant details to track this down. I will update as soon as I go through the results. Thanks.

    > Personally, I prefer adding server admin to local administrator group (for certain computers
    > maybe) since this option might mess your whole Privilege system and it will be disastrous.

    I think we are in agreement here. This is pretty much what we do, though we have a set of groups to provide some indirection to make it easier to manage as admins change roles, come and go, etc.

    Thanks very much for your response.



    Marty Wise, IT/CNI Thomas Jefferson National Accelerator Facility Newport News, Virgina

    Wednesday, July 22, 2015 1:31 PM
  • I think you misunderstand what we are trying to do.

    We don't want admin or server operator access on the server at all.  We only want standard user acccess, and there is no need for elevation.  We already have sufficient admin access on the resources we administer through remote administration (eg WinRM etc), but on the server where we run the tools, we MUST NOT have admin rights (or server operator rights) because neither we (nor a proces spoofing as us) should be able to modify the tools.  We are just tool application users in the server context.

    Another special group is responsible for server operations/administration, and that is not the group we are talking about here.

    All we want, is to simply open the tools and use them. 


    Monday, July 29, 2019 12:59 AM