Runas example for running dsa.msc as a different user doesn't seem to work
Posted: 2022-Sep-14, 3:45 pm
Greetings,
I work in IT for a smaller company which due to "reasons" hadn't been using best practices in a few key areas, one of the most egregious being our own standard user accounts having privileged access on the domain, etc. We're getting around to rectifying this, having separate elevated admin accounts we have to use to run ADUC and the like. To ease some of the pain of having to Shift + Right Click icons and select Run as different user for every one of these programs our Sys Admin told us to use runas /savecred /user:"domain\user" "cmd /c mmc %windir%\system32\<application>.msc" for MMCs and runas /savecred /user:"domain\user" "cmd /c start path to exe" for EXE's. The problem is, the cmd /c doesn't function as expected, the command window remains open after the MMC runs. Removing the /c simply opens a new cmd window.
I came to SS64 to check the syntax for both cmd and runas to see if anything was missing and noted that there was an example specifically for running DSA as another user right there. However, it doesn't work. The batch runs and closes never asking for any credentials or opening anything. Changing /env to /profile or even /savecred (I had removed this switch for security) does nothing, only having cmd /c in the program part of the string makes it "work." On a lark, I tried replacing the mmc part with start, and to my surprise it functions perfectly. I figured I'd post here about this to find out if there was something I was missing, some new/unknown gotcha in Windows 10 that causes this, etc. before attempting use of the mailto contact to suggest an edit to the example.
I work in IT for a smaller company which due to "reasons" hadn't been using best practices in a few key areas, one of the most egregious being our own standard user accounts having privileged access on the domain, etc. We're getting around to rectifying this, having separate elevated admin accounts we have to use to run ADUC and the like. To ease some of the pain of having to Shift + Right Click icons and select Run as different user for every one of these programs our Sys Admin told us to use runas /savecred /user:"domain\user" "cmd /c mmc %windir%\system32\<application>.msc" for MMCs and runas /savecred /user:"domain\user" "cmd /c start path to exe" for EXE's. The problem is, the cmd /c doesn't function as expected, the command window remains open after the MMC runs. Removing the /c simply opens a new cmd window.
I came to SS64 to check the syntax for both cmd and runas to see if anything was missing and noted that there was an example specifically for running DSA as another user right there. However, it doesn't work. The batch runs and closes never asking for any credentials or opening anything. Changing /env to /profile or even /savecred (I had removed this switch for security) does nothing, only having cmd /c in the program part of the string makes it "work." On a lark, I tried replacing the mmc part with start, and to my surprise it functions perfectly. I figured I'd post here about this to find out if there was something I was missing, some new/unknown gotcha in Windows 10 that causes this, etc. before attempting use of the mailto contact to suggest an edit to the example.