Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, September 19, 2016 2:37 PM
All,
My group is trying to use a better security model, and one of the "good practices" we're attempting to implement is the separation of standard user accounts and elevated access accounts such as domain admins. In order to administer the environment I'd like to login with a standard user account, and run admin tools (such as mmc.exe) as an account with elevated access. When I try to run 'runas /user:domain/user /savecred mmc' I receive the error "740: The requested operation requires elevation." When I try to run 'runas /user:domain/user /savecred "cmd /c mmc" I receive the error "Your system administrator has blocked this program. For more information, contact your system administrator." Any idea how I might achieve this separation without burning UAC to the ground?
All replies (11)
Monday, September 19, 2016 2:51 PM
I ran this on my system and it failed with a different error. Is this a fat finger error or possibly more?
Yours
'runas /user:domain/user /savecred mmc'
Mine (works, note the slash by username)
'runas /user:domain\user /savecred mmc'
BlankMonkey
Monday, September 19, 2016 2:51 PM
Hello
C:\Windows\System32\runas.exe /noprofile /user:domain\user “mmc”
You can put it in a .bat file, and save on desktop. Next time you need it, just double-click it, it will ask for password, give password, and you are in MMC as a domain\user
Regards, Regin Ravi
Monday, September 19, 2016 2:55 PM
That was a fat finger error. The command I run has a backslash (\ between the domain and username. Do you have the UAC enabled?
Monday, September 19, 2016 2:56 PM
I tried that as well, but I get the same system administrator has blocked this program error message.
Monday, September 19, 2016 3:14 PM
Sorry, mine is disabled :(
BlankMonkey
Tuesday, September 20, 2016 5:48 PM
What MMC are you trying to run? I know there are some MMC specific issues with AD ones.
BlankMonkey
Tuesday, September 20, 2016 6:44 PM
Ideally I'd like to run all of the AD specific snap-ins, but, for now, I'm just trying to run mmc.exe without loading any snap-ins. It seems like I'll either have to login with an account with elevated access, or disable UAC on all of the infrastructure admin PCs. Either way I'll be weakening our security posture.
Tuesday, September 20, 2016 8:39 PM
Well, I will tell you right now that the Runas has some additional problems with ADUC. I will have to look at some of my old KB's, but I know there were some command line switches, and then some manual stuff to be done to the mmc after the connection in order to get it to work... each time. not pretty
BlankMonkey
Friday, September 23, 2016 12:02 AM
Hi,
I have tried what you mentioned and I can open mmc by running: I have UAC enabled. We need UAC enabled to complete the evaluation.
If you get UAC enabled, and still fail to do so, check if there is any GP in this link configured to block this behavior:
https://technet.microsoft.com/en-us/library/cc709697(v=ws.11).aspx
You can run RSOP to check the results.
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, September 29, 2016 2:39 PM
This is with Windows 10? I ran the RSoP just to see if there was an errant GPO that might be causing this behavior, but there were no Software Restriction Policies applied to the computer or user accounts.
Thursday, September 29, 2016 5:20 PM
For a bit more context to my question I also maintain Windows 8.1 machines as well, and do not experience this issue with that OS. This issue is only present on Windows 10 machines.