none
RUNAS functionality RRS feed

  • Question

  • I have some applicaitons that require me to run as a different user. 

    To list a few:

    SQLEnterpriseMAnager

    ADUsers/Computers

    SMSAdmin Console

     

    Note most of these are MMC Snapins.  What I am finding is that I can not Hold Shift - Right Click and choose RunAs.  I can Run As Administrator but do not have a choice to change to a domain user account which I need to run some of these consoles in MMC. 

    Another thing I have tried is to user RunAS at a command prompt to launch these apps.  In doing so I get - "RunAs Error 740: The requested operation requires elevation."

     

    Wednesday, September 6, 2006 6:51 PM

Answers

  • This is a Group Policy Setting

     

    Go to GPEDIT.msc

    Select Computer Configuration - Windows Settings - Local Policies - Security Options

     

    There are several here for "User Account Control"  (Toward the bottom)

     

    Choose the one with Behavior of the eleveation prompt for Administrators.....

     

    Set it to Prompt for Credentials

     

    Then runa  gpupdate /force

     

     

    Wednesday, January 24, 2007 9:54 PM

All replies

  • Hello,

     i encounter the same problem...unable to run as domain admin my MMCs with a right-click (only local administrator available)

     When i try in a cmd prompt, it doesn't work more...

     If anybody have a solution...

     Thanks

    Monday, September 18, 2006 3:55 PM
  • the only work around that I have been able to find is to do it from the command prompt.
    Friday, January 19, 2007 8:17 PM
  •  tandrle wrote:

    I have some applicaitons that require me to run as a different user. 

    To list a few:

    SQLEnterpriseMAnager

    ADUsers/Computers

    SMSAdmin Console

    Note most of these are MMC Snapins.  What I am finding is that I can not Hold Shift - Right Click and choose RunAs.  I can Run As Administrator but do not have a choice to change to a domain user account which I need to run some of these consoles in MMC. 

    Another thing I have tried is to user RunAS at a command prompt to launch these apps.  In doing so I get - "RunAs Error 740: The requested operation requires elevation."

     

     

    Try to open and run a command prompt as local administrator (right mouse click then Run as Administrator). This should enable you to start the required MMC snap-in from within the command prompt.

    Hope this helps. Thanks.

    Saturday, January 20, 2007 12:13 PM
  • I tried the above recommendation. Running cmd as administrator then typing in runas with my domain admin user account.

    But I still get the folowing error.

    RUNAS ERROR: Unable to run - mmc C:\Windows\system32\My MMC Console.msc
    740: The requested operation requires elevation.

    Tuesday, January 23, 2007 4:39 PM
  • I am getting the same error..
    Tuesday, January 23, 2007 4:58 PM
  • This is a Group Policy Setting

     

    Go to GPEDIT.msc

    Select Computer Configuration - Windows Settings - Local Policies - Security Options

     

    There are several here for "User Account Control"  (Toward the bottom)

     

    Choose the one with Behavior of the eleveation prompt for Administrators.....

     

    Set it to Prompt for Credentials

     

    Then runa  gpupdate /force

     

     

    Wednesday, January 24, 2007 9:54 PM
  • That is great! It finally works like it's supposed to!

    Only issue I have now is trying to get Active Directory Users and Groups to show up.

     

    Wednesday, January 24, 2007 10:11 PM
  •  tandrle wrote:

    This is a Group Policy Setting

     Go to GPEDIT.msc

    Select Computer Configuration - Windows Settings - Local Policies - Security Options

     There are several here for "User Account Control"  (Toward the bottom)

     Choose the one with Behavior of the eleveation prompt for Administrators.....

     Set it to Prompt for Credentials

     Then runa  gpupdate /force

     

    Thanks for pointing this out tandrle!

    Thursday, January 25, 2007 8:18 AM
  • Copy the following into notepad and save it as aducfixscript.bat or something like that. Right-click it and run it as admin (if not, certificate and remote access dll registration fails). Hope this helps

    regsvr32 /s adprop.dll

    regsvr32 /s azroles.dll

    regsvr32 /s azroleui.dll

    regsvr32 /s ccfg95.dll

    regsvr32 /s certadm.dll

    regsvr32 /s certmmc.dll

    regsvr32 /s certpdef.dll

    regsvr32 /s certtmpl.dll

    regsvr32 /s certxds.dll

    regsvr32 /s cladmwiz.dll

    regsvr32 /s clcfgsrv.dll

    regsvr32 /s clnetrex.dll

    regsvr32 /s cluadmex.dll

    regsvr32 /s cluadmmc.dll

    regsvr32 /s cmproxy.dll

    regsvr32 /s cmroute.dll

    regsvr32 /s cmutoa.dll

    regsvr32 /s cnet16.dll

    regsvr32 /s debugex.dll

    regsvr32 /s dfscore.dll

    regsvr32 /s dfsgui.dll

    regsvr32 /s dhcpsnap.dll

    regsvr32 /s dnsmgr.dll

    regsvr32 /s domadmin.dll

    regsvr32 /s dsadmin.dll

    regsvr32 /s dsuiwiz.dll

    regsvr32 /s imadmui.dll

    regsvr32 /s lrwizdll.dll

    regsvr32 /s mprsnap.dll

    regsvr32 /s msclus.dll

    regsvr32 /s mstsmhst.dll

    regsvr32 /s mstsmmc.dll

    regsvr32 /s nntpadm.dll

    regsvr32 /s nntpapi.dll

    regsvr32 /s nntpsnap.dll

    regsvr32 /s ntdsbsrv.dll

    regsvr32 /s ntfrsapi.dll

    regsvr32 /s rasuser.dll

    regsvr32 /s rigpsnap.dll

    regsvr32 /s rsadmin.dll

    regsvr32 /s rscommon.dll

    regsvr32 /s rsconn.dll

    regsvr32 /s rsengps.dll

    regsvr32 /s rsjob.dll

    regsvr32 /s rsservps.dll

    regsvr32 /s rsshell.dll

    regsvr32 /s rssubps.dll

    regsvr32 /s rtrfiltr.dll

    regsvr32 /s schmmgmt.dll

    regsvr32 /s tapisnap.dll

    regsvr32 /s tsuserex.dll

    regsvr32 /s uddi.mmc.dll

    regsvr32 /s vsstskex.dll

    regsvr32 /s w95inf16.dll

    regsvr32 /s w95inf32.dll

    regsvr32 /s winsevnt.dll

    regsvr32 /s winsmon.dll

    regsvr32 /s winsrpc.dll

    regsvr32 /s winssnap.dll

    regsvr32 /s ws03res.dll

    Thursday, January 25, 2007 11:13 PM
  • Yea that did it! and after I did that I found the answer here as well. LOL

    http://support.microsoft.com/kb/930056/en-us

    Thursday, January 25, 2007 11:18 PM
  • While that does work it now means I have to put in a username and password everytime I want to do anything with administrative rights.

    My need is to run an MMC with ADUC, DNS, and DHCP with domain admin privildges without logging in as a domain administrator (as Microsoft recommends) but now with out having simply the "Run As" option it is impossible to do with without prompting for a username and password for everything.  Does anyone have a suggestion as to how to be able to run a process as a different user WITHOUT having to change the UAC to prompt an administrator for their username and password.  This seems like a giant step backwards with Vista (not to mention the fact that they released Vista without having any of the sysadmins in mind to provide an adminpak that actually works well, ie without a batch file to manually register the .dll's)

    Thursday, February 22, 2007 8:40 PM
  • I hear you, but for run as I never got passed the “740: The requested operation requires elevation” issue.

    What I do is I get all my MMC snapin’s under the same MMC console “My MMC”  I also add the local computer policy then save the snapin with the Security Options window expanded.

    After I boot and launch My MMC Console I switch the User Account behavior to “Elevate with out prompting”.

    And before I shutdown for the day I switch it back to Prompt for credentials.

    Is this a major pain? YES!  But what are you going to do? I have been unable to find a solution to this issue.

    Friday, February 23, 2007 2:08 PM
  • MS should fix this. There are quite a few scenarios where people used runas thats not quite covered by UAC. Changing UAC to make it work is overkill - global change for a local problem.

    I am frequent user of runas - for example one sceanrio that broke - I used UAC to run IE under different accounts on web sites that use windows live id - so I could login using multiple windows live id. Now the only option to run IE under a second user account is to use the builtin administrator account. And thats too risky cause IE runs in unprotected mode.

    Tuesday, February 27, 2007 12:03 AM
  • After installing M.S. PowerShell I can now do a RunAs /UserBig Smileomain admin account cmd.exe right from Run

    logged in as a normal user.

    This opens cmd  with my admin ID and then I can run programs as needed

    This solved a lot of my issues with using Vista
    Friday, June 1, 2007 6:41 PM
  • I found a way to fix this issue. I create a shortcut and send it to my desktop, then I was able to use the run as option and type my Domain Admin Account and password.
    Saturday, June 2, 2007 12:20 AM
  • I got around this issue by creating a tools directory at the root of C, (just my preference) then saved my mmc

    console(s) into this directory. Then I launched cmd using runas (runas /userBig Smileomain\adminuser cmd.exe) changed into my tools directory and launch the mmc.

     

    Friday, November 23, 2007 7:19 PM
  • In my environment, all the admins are set to 'Prompt for Consent'. The leads to 740 errors with the RunAs command. To work around it, I created a shortcut to always run as admin and used the runas /netonly switch:

    C:\Windows\System32\runas.exe /netonly /userBig Smileomain\username "mmc c:\windows\system32\dsa.msc"

    This works with the netonly switch, but not without.
    • Proposed as answer by Peter_D503 Thursday, March 19, 2009 11:29 PM
    Thursday, March 6, 2008 5:47 PM

  • Take a look here:  to add the RunAs funcationality to Vista as it was back in the XP days.  Sysinternals Mark R. wrote a shell plugin for Vista and Server 2008.
    • Proposed as answer by Peter_D503 Thursday, March 19, 2009 11:28 PM
    Wednesday, June 4, 2008 1:44 AM
  •  tandrle wrote:

    This is a Group Policy Setting

    Go to GPEDIT.msc

    Select Computer Configuration - Windows Settings - Local Policies - Security Options

    There are several here for "User Account Control"  (Toward the bottom)

    Choose the one with Behavior of the eleveation prompt for Administrators.....

    Set it to Prompt for Credentials

    Then runa  gpupdate /force




    This not work under Vista SP1? It is not taking effect for me. I ran the gpupdate /force, I even rebooted. When I right click on an MMC and choose run as, it still just opens up under my credentials.
    Friday, June 27, 2008 2:36 PM
  • This worked for me! Many thanks. /netonly switch made the difference.
    • Proposed as answer by Mike Driest Sunday, September 27, 2009 7:32 PM
    Monday, September 21, 2009 12:28 AM
  • In my environment, all the admins are set to 'Prompt for Consent'. The leads to 740 errors with the RunAs command. To work around it, I created a shortcut to always run as admin and used the runas /netonly switch:

    C:\Windows\System32\runas.exe /netonly /userBig Smileomain\username "mmc c:\windows\system32\dsa.msc"

    This works with the netonly switch, but not without.

    I changed my desktop shortcut to call "C:\Windows\System32\runas.exe /netonly /user:OurDomainName\UserName "mmc C:\MMC\MyMMC.msc"".  With XP I was using /profile and /netonly made the difference.  In the properties for this shortcut I have "Run as administrator" set in Shortcut (tab) > Advanced.

    Thank you!
    Sunday, September 27, 2009 7:36 PM
  • Hi there. I would like to add that you can still run applications that require elevation as another user by using the Elevate.cmd and Elevate.vbs script from Microsoft. You need to download the Elevation PowerToys for Windows Vista v1.1 . Then extract the Elevate.cmd and Elevate.vbs to the same folder.

    This will elevate as user domain\user and connect computer management to SERVER1:
    C:\> cmd.exe /C runas /user:domain\user \\path\to\elevatefolder\elevate.cmd mmc.exe compmgmt.msc /computer:SERVER1

    This is tested on Windows 7 but I guess it will also work on Vista.
    • Proposed as answer by Gregory_G Saturday, January 15, 2011 9:05 PM
    Thursday, October 15, 2009 2:13 PM
  • This thread may have been more about Windows Vista than Windows 7 but I've got some information for you just the same about UAC.  Read the section “Changes to tokens”

    from http://technet.microsoft.com/en-us/library/cc731677(WS.10).aspx.  This explains why/how UAC works under the hood.  My recommendation, if you are comfortable using Run As whenever you need then I think you should turn off UAC.  This will make Windows Vista/7 behave more like Windows XP.  Again this is my recommendation for admins who know and accecpt the Run As feature.  And I feel that Microsoft is trying to make Windows more like UNIX but it is missing the mark; big time.

     

    From my experience UAC is MS's 2nd attempt (the first being Run As) at getting customers to use the Run As command.  Personally Run As could have used a bit of promotion instead of implementing the backward solution UAC is.  If you notice UAC mostly appears when one is trying to do something that they may normally like to do with an elevated permission like an installer.  But it only works in limited ways on Windows 7/2008 R2 because it mainly focuses on installers, Control Panel apps and EXEs.  A regurlar user can no longer open up CompMgmt.msc and read "admins" the errors out of the log file and there is one process that does not generate the pop-up; Windows Explorer when a user doesn't have access to a folder.  Although it may be a bit off topic my issues with Windows 2008 File Servers lead me to find the article above and I've implemented the solution I've suggest to you.  I n case you want to reproduce the issue... we have a folder, E:\Data, that only has SYSTEM and Administrators with Full Control and it does not inherit permissions from the parent folder.  (We'd make some deeper folders, share them and allow users to modify those folders for department and personal folders.)  With UAC on, the "Admins" cannot use Windows Explorer (or Command Prompt if memory serves me correctly) to enter the directory until the Advanced Properties takes ownership and grants the admin full control to all of the files and sub files.  This may seem like an okay solution until you learn that we are sporting Distributed File System and 400 GB of replicated data and over 500,000,000 files.  Needless to say an "admin" taking ownership or granting an "admin" full control is not something we want to do becase it will initiate replication over the WAN for every single file.  Then it will do it again when you remove the "admin" fomr the ACL list.  With UAC off, the behavior works just like it did in a Windows Server 2003's File Server.  Admins are allowed in and Users are kept out.  DFS replicates only what it needs to and there isn't a micky mouse control that changes the ACLs of every file if an admin should but doesn't have access.  Turning UAC off of your Windows Server 2008 R2 file (and other) servers fixes this issue.

     

    Getting back to another suggestion would be to author an MMC with all of the tools needed and use any one of the ways suggested to launch it so that you get all of your tools in one package and this reduces the number of time you need to use UAC/Run As.

     

    Another gripe I've got is the change with Internet Explorer 6 to IE 7 or higher.  I used to launch IE6 with an "Admin" account and I was able to browse to folder any local or remote folder structure I needed to.  I was able to launch EXEs, Contol Panel Apps, almost anything with the account running IE (note I could run IE as a user or Admin).  Running IE with an "admin" account would allow me to leave a "main" window (others have suggested  Command Prompt) to launch other admin tools.  This was useful to me as an admin because I did elevate properly and I had a tool open for as long as I needed it thus reducing the amount of times I needed to elevate privilidges.  Well starting with IE 7 any requesting to a file system location or UNC and IE hands off the opening of the folder request to Windows Explorer.  Well guess who's running Windows Explorer: my user account which doesn't have access to either find the remote location or the ability to install anything.  This annoys me to no end because I've lost a graphical ability to find and install packages from file servers on local desktops when my "users" are logged and a launching platform that made my job easier.

    Sybuur

    Wednesday, February 2, 2011 8:42 PM
  • I know this is a really old thread, but I figured I'd post the way I run an mmc as a domain admin in windows 7.

    Create your custom mmc and save it in you documents folder.

    Go to a command prompt and type:  runas /user:[username]@[domain].com "mmc C:\Users\[username]\Documents\AD-Users-and-Computers.msc"

    You can also create a bat file so you don't have to type the command everytime. 

    Hope that helps someone.

    Friday, April 1, 2011 2:14 PM
  • Hi

    I was looking for the same behaviour. So I post my solution :

    Without any Group Policy, you can try runas /user:adesi\adm%username% "cmd /c Start /B mmc.exe %SystemRoot%\system32\dsa.msc"

    Works for m.

    Friday, April 15, 2011 2:57 PM
  • Disable UNC from control panel and restart the system and then check.
    Tuesday, September 6, 2011 10:12 AM
  • And yet another example of a convoluted command for a shortcut so you don't have to explicitely open a Command Prompt:

    C:\Windows\System32\runas.exe /profile /env /user:DOMAIN\adm.myuserid "cmd /c C:\Windows\System32\mmc.exe \"C:\Program Files\Microsoft\Exchange Server\Bin\Exchange Management Console.msc\""

    Enter the password for DOMAIN\adm.myuserid:

    Attempting to start cmd /c C:\Windows\System32\mmc.exe "C:\Program Files\Microsoft\Exchange Server\Bin\Exchange Management Console.msc" as user "DOMAIN\adm.myuserid" ...

    And then the console started up.

    What a pain. Not user friendly. No beginner user would ever figure this out.

    -- Rob --

    Thursday, March 1, 2012 1:22 AM
  • Hi

    I was looking for the same behaviour. So I post my solution :

    Without any Group Policy, you can try runas /user:adesi\adm%username% "cmd /c Start /B mmc.exe %SystemRoot%\system32\dsa.msc"

    Works for m.

    This solution worked well for me, thank you.
    • Proposed as answer by D. P. Watts Monday, March 26, 2012 9:47 PM
    Monday, March 26, 2012 9:47 PM
  • I had a similar issue. When I ran gpupdate /force it failed. By running gpresult /h xyz/html I found that communication was not going to the correct domain controller. A simple route add worked.

    My input is to force the group policy update with gpupdate /force from the command line and see if it completes successfully.

    Wednesday, May 23, 2012 10:34 PM
  • I know this thread is really old, but I thoroughly appreciate this. You saved me a lot of time.
    Thursday, December 22, 2016 2:24 PM