enable "runas" under account, without log into workstations ?

hi
i need to set up an account
just for execute an .exe vía "RunAs" command
but preventing to start windows
with that account on the network

its possible ?

--
atte,
Hernán Castelo
SGA - UTN - FRBA

I got the following in response to a similar problem, hope it helps.

1. Click Start / Control Panel / User Accounts / Create a New Account /
Name the Account: "able2play" (without quotes) / Next Pick: "Computer-
Administrator" & Click "Create Account";

2. Click on your new able2run account and Create a Password for it;

3. When your limited user wants to run a program that requires
Administrator
privileges they can Right-Click the shortcut to that program / Click Run
As... /
"The Following User": able2run and enter the password. Simple as that!

I know what you're thinking: That defeats the purpose of the limited user
account.
To secure the "able2run" account so that it can't be used to logon to the
computer:

First you can hide the account so that it won't show up on the Welcome
Screen:
http://www.dougknox.com/xp/scripts_d...hide_users.htm (thanks Doug!)

Next add a shortcut to the windows logoff routine into the RUN key of the
able2run registry.
This is a one shot attempt that must be done from within the account.
Once done you can't gain access to the account again so get it right the
first time

4. Logon to the "able2run" account,

5. Click Start / Run / regedt32 / browse to:
[HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
Click Edit / New / String value / ValueName: logoff / Value data: logoff

From now on, if anyone logs on with the "able2run" account, the computer
will log
them off immediately. They will not gain access to an administrators
desktop! :-)

"Hernán Castelo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> hi
> i need to set up an account
> just for execute an .exe vía "RunAs" command
> but preventing to start windows
> with that account on the network
>
> its possible ?
>
> --
> atte,
> Hernán Castelo
> SGA - UTN - FRBA
>
>

I assume for this to work the user able2run needs to be added to the
administrators group.

The other thing to keep in mind is that a user does not need to logon as an
administrator to exploit the power of the account if the user knows
administrator credentials. For instance the command [ runas /user:able2run
"net localgroup administrators /add myaccount" ] would prompt the user for
the credentials for able2run and then add the users account to the local
administrators group. Granted the average user may not know how to do such
but it is something to be aware of. --- Steve


"mmac" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I got the following in response to a similar problem, hope it helps.
>
> 1. Click Start / Control Panel / User Accounts / Create a New Account /
> Name the Account: "able2play" (without quotes) / Next Pick: "Computer-
> Administrator" & Click "Create Account";
>
> 2. Click on your new able2run account and Create a Password for it;
>
> 3. When your limited user wants to run a program that requires
> Administrator
> privileges they can Right-Click the shortcut to that program / Click
> Run As... /
> "The Following User": able2run and enter the password. Simple as that!
>
> I know what you're thinking: That defeats the purpose of the limited user
> account.
> To secure the "able2run" account so that it can't be used to logon to the
> computer:
>
> First you can hide the account so that it won't show up on the Welcome
> Screen:
> http://www.dougknox.com/xp/scripts_d...hide_users.htm (thanks Doug!)
>
> Next add a shortcut to the windows logoff routine into the RUN key of the
> able2run registry.
> This is a one shot attempt that must be done from within the account.
> Once done you can't gain access to the account again so get it right the
> first time
>
> 4. Logon to the "able2run" account,
>
> 5. Click Start / Run / regedt32 / browse to:
> [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
> Click Edit / New / String value / ValueName: logoff / Value data:
> logoff
>
> From now on, if anyone logs on with the "able2run" account, the computer
> will log
> them off immediately. They will not gain access to an administrators
> desktop! :-)
>
> "Hernán Castelo" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> hi
>> i need to set up an account
>> just for execute an .exe vía "RunAs" command
>> but preventing to start windows
>> with that account on the network
>>
>> its possible ?
>>
>> --
>> atte,
>> Hernán Castelo
>> SGA - UTN - FRBA
>>
>>
>
>

yes, item 1 states that you create the account as an admin.
2. thats also true, this would be used as a runas command for the non
admins. The big point was that we didn't want to add the user to the admins
group, just be able to use the account for the single program that won't run
unless on an admin account. Like Quickbooks, Printmaster, and many other
programs not intended for a file secured environment.
The downside of this approach is if the user is smart enough he can figiure
out that the account can be used for other programs as well. We just hope he
doesn't figure it out.

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I assume for this to work the user able2run needs to be added to the
>administrators group.
>
> The other thing to keep in mind is that a user does not need to logon as
> an administrator to exploit the power of the account if the user knows
> administrator credentials. For instance the command [ runas /user:able2run
> "net localgroup administrators /add myaccount" ] would prompt the user for
> the credentials for able2run and then add the users account to the local
> administrators group. Granted the average user may not know how to do such
> but it is something to be aware of. --- Steve
>
>
> "mmac" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I got the following in response to a similar problem, hope it helps.
>>
>> 1. Click Start / Control Panel / User Accounts / Create a New Account /
>> Name the Account: "able2play" (without quotes) / Next Pick:
>> "Computer-
>> Administrator" & Click "Create Account";
>>
>> 2. Click on your new able2run account and Create a Password for it;
>>
>> 3. When your limited user wants to run a program that requires
>> Administrator
>> privileges they can Right-Click the shortcut to that program / Click
>> Run As... /
>> "The Following User": able2run and enter the password. Simple as
>> that!
>>
>> I know what you're thinking: That defeats the purpose of the limited
>> user account.
>> To secure the "able2run" account so that it can't be used to logon to the
>> computer:
>>
>> First you can hide the account so that it won't show up on the Welcome
>> Screen:
>> http://www.dougknox.com/xp/scripts_d...hide_users.htm (thanks Doug!)
>>
>> Next add a shortcut to the windows logoff routine into the RUN key of the
>> able2run registry.
>> This is a one shot attempt that must be done from within the account.
>> Once done you can't gain access to the account again so get it right the
>> first time
>>
>> 4. Logon to the "able2run" account,
>>
>> 5. Click Start / Run / regedt32 / browse to:
>> [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
>> Click Edit / New / String value / ValueName: logoff / Value data:
>> logoff
>>
>> From now on, if anyone logs on with the "able2run" account, the computer
>> will log
>> them off immediately. They will not gain access to an administrators
>> desktop! :-)
>>
>> "Hernán Castelo" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> hi
>>> i need to set up an account
>>> just for execute an .exe vía "RunAs" command
>>> but preventing to start windows
>>> with that account on the network
>>>
>>> its possible ?
>>>
>>> --
>>> atte,
>>> Hernán Castelo
>>> SGA - UTN - FRBA
>>>
>>>
>>
>>
>
>

Understood. It is too bad that there are still too many programs that
require administrator access to run. If you are lucky they may run as a
regular user with some permissions mods to program files folder, machine
registry key for the application, and maybe the all user's profile.
SysInternals make a couple of tools called filemon and regmon that can help
with tracking down permissions problems if you logon as regular user and
invoke them with runas and then looking in their log files for "denied
access" when application launch fails for places to modify permissions and
try again. People have told me that Quicken is not too helpful in resolving
the program. --- Steve


"mmac" <(E-Mail Removed)> wrote in message
news:O1PdF$(E-Mail Removed)...
> yes, item 1 states that you create the account as an admin.
> 2. thats also true, this would be used as a runas command for the non
> admins. The big point was that we didn't want to add the user to the
> admins group, just be able to use the account for the single program that
> won't run unless on an admin account. Like Quickbooks, Printmaster, and
> many other programs not intended for a file secured environment.
> The downside of this approach is if the user is smart enough he can
> figiure out that the account can be used for other programs as well. We
> just hope he doesn't figure it out.
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>>I assume for this to work the user able2run needs to be added to the
>>administrators group.
>>
>> The other thing to keep in mind is that a user does not need to logon as
>> an administrator to exploit the power of the account if the user knows
>> administrator credentials. For instance the command [ runas
>> /user:able2run "net localgroup administrators /add myaccount" ] would
>> prompt the user for the credentials for able2run and then add the users
>> account to the local administrators group. Granted the average user may
>> not know how to do such but it is something to be aware of. --- Steve
>>
>>
>> "mmac" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I got the following in response to a similar problem, hope it helps.
>>>
>>> 1. Click Start / Control Panel / User Accounts / Create a New Account /
>>> Name the Account: "able2play" (without quotes) / Next Pick:
>>> "Computer-
>>> Administrator" & Click "Create Account";
>>>
>>> 2. Click on your new able2run account and Create a Password for it;
>>>
>>> 3. When your limited user wants to run a program that requires
>>> Administrator
>>> privileges they can Right-Click the shortcut to that program / Click
>>> Run As... /
>>> "The Following User": able2run and enter the password. Simple as
>>> that!
>>>
>>> I know what you're thinking: That defeats the purpose of the limited
>>> user account.
>>> To secure the "able2run" account so that it can't be used to logon to
>>> the computer:
>>>
>>> First you can hide the account so that it won't show up on the Welcome
>>> Screen:
>>> http://www.dougknox.com/xp/scripts_d...hide_users.htm (thanks Doug!)
>>>
>>> Next add a shortcut to the windows logoff routine into the RUN key of
>>> the
>>> able2run registry.
>>> This is a one shot attempt that must be done from within the account.
>>> Once done you can't gain access to the account again so get it right the
>>> first time
>>>
>>> 4. Logon to the "able2run" account,
>>>
>>> 5. Click Start / Run / regedt32 / browse to:
>>> [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
>>> Click Edit / New / String value / ValueName: logoff / Value data:
>>> logoff
>>>
>>> From now on, if anyone logs on with the "able2run" account, the computer
>>> will log
>>> them off immediately. They will not gain access to an administrators
>>> desktop! :-)
>>>
>>> "Hernán Castelo" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> hi
>>>> i need to set up an account
>>>> just for execute an .exe vía "RunAs" command
>>>> but preventing to start windows
>>>> with that account on the network
>>>>
>>>> its possible ?
>>>>
>>>> --
>>>> atte,
>>>> Hernán Castelo
>>>> SGA - UTN - FRBA
>>>>
>>>>
>>>
>>>
>>
>>
>
>

You are right on both counts. I have used the tools from sysinternals to
make programs work with some success but QuickBooks was such a pain to make
work only to find that the only reason it's was necessary to add alll thoise
permissions was because QB would simply write a key to see if it could and
then it deletes it. It does this a dozen times to different keys and then
never tries again after the intial startup. What a pita! and for nothing!
and QB support is silent on the matter.
I know that some programmers arent able to address these issued because
of the compiler they use or outright inexperience, but I wouldn't think
Intuit would qualify for that distinction. They are doing it on purpose.

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:Onfs%(E-Mail Removed)...
> Understood. It is too bad that there are still too many programs that
> require administrator access to run. If you are lucky they may run as a
> regular user with some permissions mods to program files folder, machine
> registry key for the application, and maybe the all user's profile.
> SysInternals make a couple of tools called filemon and regmon that can
> help with tracking down permissions problems if you logon as regular user
> and invoke them with runas and then looking in their log files for "denied
> access" when application launch fails for places to modify permissions and
> try again. People have told me that Quicken is not too helpful in
> resolving the program. --- Steve
>
>
> "mmac" <(E-Mail Removed)> wrote in message
> news:O1PdF$(E-Mail Removed)...
>> yes, item 1 states that you create the account as an admin.
>> 2. thats also true, this would be used as a runas command for the non
>> admins. The big point was that we didn't want to add the user to the
>> admins group, just be able to use the account for the single program that
>> won't run unless on an admin account. Like Quickbooks, Printmaster, and
>> many other programs not intended for a file secured environment.
>> The downside of this approach is if the user is smart enough he can
>> figiure out that the account can be used for other programs as well. We
>> just hope he doesn't figure it out.
>>
>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>>I assume for this to work the user able2run needs to be added to the
>>>administrators group.
>>>
>>> The other thing to keep in mind is that a user does not need to logon as
>>> an administrator to exploit the power of the account if the user knows
>>> administrator credentials. For instance the command [ runas
>>> /user:able2run "net localgroup administrators /add myaccount" ] would
>>> prompt the user for the credentials for able2run and then add the users
>>> account to the local administrators group. Granted the average user may
>>> not know how to do such but it is something to be aware of. --- Steve
>>>
>>>
>>> "mmac" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>>I got the following in response to a similar problem, hope it helps.
>>>>
>>>> 1. Click Start / Control Panel / User Accounts / Create a New Account
>>>> /
>>>> Name the Account: "able2play" (without quotes) / Next Pick:
>>>> "Computer-
>>>> Administrator" & Click "Create Account";
>>>>
>>>> 2. Click on your new able2run account and Create a Password for it;
>>>>
>>>> 3. When your limited user wants to run a program that requires
>>>> Administrator
>>>> privileges they can Right-Click the shortcut to that program / Click
>>>> Run As... /
>>>> "The Following User": able2run and enter the password. Simple as
>>>> that!
>>>>
>>>> I know what you're thinking: That defeats the purpose of the limited
>>>> user account.
>>>> To secure the "able2run" account so that it can't be used to logon to
>>>> the computer:
>>>>
>>>> First you can hide the account so that it won't show up on the Welcome
>>>> Screen:
>>>> http://www.dougknox.com/xp/scripts_d...hide_users.htm (thanks
>>>> Doug!)
>>>>
>>>> Next add a shortcut to the windows logoff routine into the RUN key of
>>>> the
>>>> able2run registry.
>>>> This is a one shot attempt that must be done from within the account.
>>>> Once done you can't gain access to the account again so get it right
>>>> the first time
>>>>
>>>> 4. Logon to the "able2run" account,
>>>>
>>>> 5. Click Start / Run / regedt32 / browse to:
>>>> [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
>>>> Click Edit / New / String value / ValueName: logoff / Value data:
>>>> logoff
>>>>
>>>> From now on, if anyone logs on with the "able2run" account, the
>>>> computer will log
>>>> them off immediately. They will not gain access to an administrators
>>>> desktop! :-)
>>>>
>>>> "Hernán Castelo" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> hi
>>>>> i need to set up an account
>>>>> just for execute an .exe vía "RunAs" command
>>>>> but preventing to start windows
>>>>> with that account on the network
>>>>>
>>>>> its possible ?
>>>>>
>>>>> --
>>>>> atte,
>>>>> Hernán Castelo
>>>>> SGA - UTN - FRBA
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

thanks for the replies

combining local and domain accounts
(matching its passwords)
and using the "launch a program when the user login" option
it might be helpful ?


--
atte,
Hernán Castelo
SGA - UTN - FRBA

"Hernán Castelo" <(E-Mail Removed)> escribió en el mensaje
news:(E-Mail Removed)...
> hi
> i need to set up an account
> just for execute an .exe vía "RunAs" command
> but preventing to start windows
> with that account on the network
>
> its possible ?
>
> --
> atte,
> Hernán Castelo
> SGA - UTN - FRBA
>
>

A better way to keep someone from logging on with the account might be the
following:

Start / Control Panel / Administrative Tools / Local Security Policy

Security Settings / Local Policies / User Rights Assignment / Deny Logon
Locally

Modify that value (Deny Logon Locally) to include the user you have just
created.

I believe in Windows 2000 "Local Security Policy" may be referred to as
"Group Policy" but I'm not sure. I ran windows 2000 very briefly before
switching to XP.

"mmac" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I got the following in response to a similar problem, hope it helps.
>
> 1. Click Start / Control Panel / User Accounts / Create a New Account /
> Name the Account: "able2play" (without quotes) / Next Pick: "Computer-
> Administrator" & Click "Create Account";
>
> 2. Click on your new able2run account and Create a Password for it;
>
> 3. When your limited user wants to run a program that requires
> Administrator
> privileges they can Right-Click the shortcut to that program / Click
> Run As... /
> "The Following User": able2run and enter the password. Simple as that!
>
> I know what you're thinking: That defeats the purpose of the limited user
> account.
> To secure the "able2run" account so that it can't be used to logon to the
> computer:
>
> First you can hide the account so that it won't show up on the Welcome
> Screen:
> http://www.dougknox.com/xp/scripts_d...hide_users.htm (thanks Doug!)
>
> Next add a shortcut to the windows logoff routine into the RUN key of the
> able2run registry.
> This is a one shot attempt that must be done from within the account.
> Once done you can't gain access to the account again so get it right the
> first time
>
> 4. Logon to the "able2run" account,
>
> 5. Click Start / Run / regedt32 / browse to:
> [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
> Click Edit / New / String value / ValueName: logoff / Value data:
> logoff
>
> From now on, if anyone logs on with the "able2run" account, the computer
> will log
> them off immediately. They will not gain access to an administrators
> desktop! :-)
>
> "Hernán Castelo" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> hi
>> i need to set up an account
>> just for execute an .exe vía "RunAs" command
>> but preventing to start windows
>> with that account on the network
>>
>> its possible ?
>>
>> --
>> atte,
>> Hernán Castelo
>> SGA - UTN - FRBA
>>
>>
>
>

Not a bad idea. probably better than modifying the registry directly.

"Alan D." <(E-Mail Removed)> wrote in message
news:usWb$(E-Mail Removed)...
>A better way to keep someone from logging on with the account might be the
>following:
>
> Start / Control Panel / Administrative Tools / Local Security Policy
>
> Security Settings / Local Policies / User Rights Assignment / Deny Logon
> Locally
>
> Modify that value (Deny Logon Locally) to include the user you have just
> created.
>
> I believe in Windows 2000 "Local Security Policy" may be referred to as
> "Group Policy" but I'm not sure. I ran windows 2000 very briefly before
> switching to XP.
>
> "mmac" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I got the following in response to a similar problem, hope it helps.
>>
>> 1. Click Start / Control Panel / User Accounts / Create a New Account /
>> Name the Account: "able2play" (without quotes) / Next Pick:
>> "Computer-
>> Administrator" & Click "Create Account";
>>
>> 2. Click on your new able2run account and Create a Password for it;
>>
>> 3. When your limited user wants to run a program that requires
>> Administrator
>> privileges they can Right-Click the shortcut to that program / Click
>> Run As... /
>> "The Following User": able2run and enter the password. Simple as
>> that!
>>
>> I know what you're thinking: That defeats the purpose of the limited
>> user account.
>> To secure the "able2run" account so that it can't be used to logon to the
>> computer:
>>
>> First you can hide the account so that it won't show up on the Welcome
>> Screen:
>> http://www.dougknox.com/xp/scripts_d...hide_users.htm (thanks Doug!)
>>
>> Next add a shortcut to the windows logoff routine into the RUN key of the
>> able2run registry.
>> This is a one shot attempt that must be done from within the account.
>> Once done you can't gain access to the account again so get it right the
>> first time
>>
>> 4. Logon to the "able2run" account,
>>
>> 5. Click Start / Run / regedt32 / browse to:
>> [HKCU\SOFTWARE\ Microsoft\Windows\CurrentVersion\Run] and
>> Click Edit / New / String value / ValueName: logoff / Value data:
>> logoff
>>
>> From now on, if anyone logs on with the "able2run" account, the computer
>> will log
>> them off immediately. They will not gain access to an administrators
>> desktop! :-)
>>
>> "Hernán Castelo" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> hi
>>> i need to set up an account
>>> just for execute an .exe vía "RunAs" command
>>> but preventing to start windows
>>> with that account on the network
>>>
>>> its possible ?
>>>
>>> --
>>> atte,
>>> Hernán Castelo
>>> SGA - UTN - FRBA
>>>
>>>
>>
>>
>
>

Hi Hernán

what exactly are you trying to accomplish? what application do you need/want
to run?

--
marco -> neovalens -> com

Free five computers' license for NeoExec for Active Directory
[ www.neovalens.com ]
----


"Hernán Castelo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> hi
> i need to set up an account
> just for execute an .exe vía "RunAs" command
> but preventing to start windows
> with that account on the network
>
> its possible ?
>
> --
> atte,
> Hernán Castelo
> SGA - UTN - FRBA
>
>