The Invisible Administrator
Running an application or a batch file on a user's desktop with a different credential
We need to run an application on user's desktop
that requires administrative privileges. We also need to execute certain
batch files on workstations that require administrative privileges. I'd
like to use the RunAs utility but, unfortunately, it doesn't support passwords
in a script. Our users are using Windows XP Professional and our company
policy dictates that they should not be given administrative rights on
Can you recommend any solution that will accomplish what we want? If
I could use RunAs, that would be great. But, I am also open to other suggestions.
Tech HelpJust An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Steve: You've mentioned RunAs utility, which can be handy
in a lot of situations. For example, if end users don't have administrative
privileges on their client computers, you can use RunAs to run an application
or a script in the background. However, RunAs doesn't allow you to enter
a password in a script. So, if you deploy a script using Group Policy
that uses RunAs command, depending on the script the user may get prompted
for a password.
Here's a solution that I've come up to solve your particular situation.
(And, at the end of this column, I do ask for readers to offer other techniques
or a better method to accomplish the results with RunAs; a book will go
to the best one.) This example uses a batch file that includes RunAs,
and enters the local Administrator password on the client workstation,
then executes the script that updates the time. The example only shows
you the capabilities of the script and the type of things that you can
do with this technique. Obviously, you can achieve the result of updating
time in many other ways. I use this example only to demonstrate the point,
since I don't know exactly which batch files you want to run. I've broken
down the solution into three steps:
1. Create a batch file, for example SetTime.bat, which includes
the following commands:
REM Map a drive to the computer if it's not in your
REM own domain. To map to a computer called London with
REM an Administrator password of "password", use the
REM following command.
net use z: \\london\c$ /user:administrator password
REM Now update the time on your local computer by
REM providing the domain name for Nwtraders domain
REM where the DC London exists.
net time /DOMAIN:nwtraders /set /y
REM Disconnect the drive that was mapped.
net use z: /d
You only need to map drives if the time server is not in the same domain.
Also, you can use any other program or command, instead of updating time.
The mapping of drive and "net time" is only used here for demonstration
2. Download the Sanur utility from TechGalaxy
Downloads and install it locally on the client computer. Sanur is
a freeware tool that allows you to "pipe" a password in the
RunAs utility. Make sure that both the Sanur program and the batch file
are on the path, or run it from the appropriate folder where the files
3. Create a batch file (e.g. Go.bat) that includes the RunAs command.
Make sure the echo is off or else the user will be able to see the Administrator's
RunAs /user:Computer1\Administrator SetTime.bat | sanur password
Here's what is happening. When you run the Go.bat file, it executes the
RunAs command using the local administrator's credentials. Go.bat then
executes the SetTime.bat file, which updates the time from a domain controller
in a different domain (or even a different forest). It first maps a drive
to establish a trust and then updates the time. Then it deletes the mapped
drive so only the time is updated and no mapped drives are left for the
Let's Hear ItDo you have any other techniques you can share
to accomplish what Steve wants, with or without freeware tools? Please
send me an e-mail at email@example.com.
The best solutions will appear in a future column and one submitter will
be sent a book, Protect
Your Windows Network From Perimeter to Data, by Johansson and
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at firstname.lastname@example.org.