Runas example for running dsa.msc as a different user doesn't seem to work

Microsoft Windows
Post Reply
Red_Chaos1
Posts: 2
Joined: 2022-Sep-14, 2:57 pm

Runas example for running dsa.msc as a different user doesn't seem to work

Post by Red_Chaos1 »

Greetings,
I work in IT for a smaller company which due to "reasons" hadn't been using best practices in a few key areas, one of the most egregious being our own standard user accounts having privileged access on the domain, etc. We're getting around to rectifying this, having separate elevated admin accounts we have to use to run ADUC and the like. To ease some of the pain of having to Shift + Right Click icons and select Run as different user for every one of these programs our Sys Admin told us to use runas /savecred /user:"domain\user" "cmd /c mmc %windir%\system32\<application>.msc" for MMCs and runas /savecred /user:"domain\user" "cmd /c start path to exe" for EXE's. The problem is, the cmd /c doesn't function as expected, the command window remains open after the MMC runs. Removing the /c simply opens a new cmd window.

I came to SS64 to check the syntax for both cmd and runas to see if anything was missing and noted that there was an example specifically for running DSA as another user right there. However, it doesn't work. The batch runs and closes never asking for any credentials or opening anything. Changing /env to /profile or even /savecred (I had removed this switch for security) does nothing, only having cmd /c in the program part of the string makes it "work." On a lark, I tried replacing the mmc part with start, and to my surprise it functions perfectly. I figured I'd post here about this to find out if there was something I was missing, some new/unknown gotcha in Windows 10 that causes this, etc. before attempting use of the mailto contact to suggest an edit to the example.
User avatar
Simon Sheppard
Posts: 190
Joined: 2021-Jul-10, 7:46 pm
Contact:

Re: Runas example for running dsa.msc as a different user doesn't seem to work

Post by Simon Sheppard »

Thanks, I have added that to the RUNAS example now, I don't know why the START is needed, perhaps someone else can explain it?
User avatar
Simon Sheppard
Posts: 190
Joined: 2021-Jul-10, 7:46 pm
Contact:

Re: Runas example for running dsa.msc as a different user doesn't seem to work

Post by Simon Sheppard »

It could be that MMC.exe is relaunching as either a 32 or 64 bit process
https://docs.microsoft.com/en-us/previo ... 3(v=vs.85)
Red_Chaos1
Posts: 2
Joined: 2022-Sep-14, 2:57 pm

Re: Runas example for running dsa.msc as a different user doesn't seem to work

Post by Red_Chaos1 »

Simon Sheppard wrote: 2022-Sep-14, 4:47 pm It could be that MMC.exe is relaunching as either a 32 or 64 bit process
https://docs.microsoft.com/en-us/previo ... 3(v=vs.85)
Could be, but it's hard to say. For grins I tried running dsa via: runas /user:domain\user "cmd /c mmc /32 %windir%\system32\dsa.msc" and ADUC runs, but I get "MMC could not create the snap-in. The snap-in might not have been installed correctly. Name: Active Directory Users and Computers CLSID: {E355E538-1C2E-11D0-8C37-00C04FD8FE93}". When I replaced /32 with /64, I got the original behavior where dsa runs, but the cmd remains open. Not sure it's notable or not, but if I add the exit command, then the standard "cmd /c mmc <stuff>" functions the way it should due to the /c.
Post Reply