Maybe this is an old chestnut that someone's already answered ?
I'm used to using remote assistance to assist customers in an enterprise - under XP, we could use remote assistance & then use "Run as..." or the "runas" command to start an escalated instance of Internet Explorer on the customer's workstation so that we could do administrative tasks on the workstation - installing software, printers, examining the registry etc.
In Vista, the model has changed.
It's preceived to be a security risk to offer assistance to a customer this way, since they can disconnect you and "steal" your credentials.
Unfortunately the changes to MS Remote Assistance (MSRA) are treating this as a core security issue, instead of an internal control issue in an Enterprise setup. In the Enterprise, if someone tried to disconnect me & steal my admin credentials, they'd be fired & would be leaving the building with their stuff in a box, so the focus is a little different.
You can't use "run as administrator" via MSRA because the Vista UAC now pops up a window for administrative credentials that you cannot respond to remotely. It's designed for an instance where the customer provides their own administrative credentials when they need escalated privileges.
In an Enterprise setup, the end-user doesn't have administrative credentials - we're supposed to be able to help them, but using MSRA we can't send a CTRL-Alt-Del, nor can we type in the credentials into the UAC prompt, because we just get a black screen when this pops up on the user's workstation.
You also can't use the "runas" command as before - "runas" will not allow you to start an escalated program such as explorer.exe, internet explorer, control.exe. They either don't start or you get a message saying that the program doesn't support RUNAS.
Although we can connect to the PC using MSTSC when the customer is logged out, it isn't the same as being able to assist the customer at the desktop, when we can use admin credentials to quickly resolve issues that the customer has. MSRA seems to have lost a lot of its useful functionality - we are now simply observers of the customer's desktop, and unable to actually help them with their issues.
Apart from abandoning microsoft & going with something like VNC, is there a way to get things running with admin credentials using MSRA ?
- Changed type Sean Zhu -Moderator Tuesday, March 10, 2009 6:28 AM
I have had some success on Windows 7 with runas from the command line. If you run %comspec% as a different user (with admin rights), you should then be able to run install files from anywhere that is not in C:\Users\USERNAME. I usually copy any install files to the C:\ drive and run from there.
The full command would be: "runas /noprofile /u:DOMAIN\user %comspec%"
This pops up the familiar "Enter the password for DOMAIN\user:" prompt, instead of the blocked UAC screen. I imagine you can things other than %comspec%, perhaps Control Panel applets, but I have not needed to yet.
- Edited by nberlanga Tuesday, March 23, 2010 9:31 PM remove code block
Another thing to try: On the remote machine, do a shift-right click on the executable. You should see another entry:Run as different user. It's been my experience that you will see the credentials prompt and you will be able to enter your login information. In this case, the end user is NOT prompted with the UAC.