MakeMeAdmin -- temporary admin for your Limited User account

re: MakeMeAdmin -- temporary admin for your Limited User account

Dane Watson — Sat, 24 Jul 2004 08:38:00 GMT

Thank you for the excellent informative posting

re: MakeMeAdmin -- temporary admin for your Limited User account

Andrew Storrs — Sat, 24 Jul 2004 09:29:00 GMT

Thanks Aaron, I've been eagerly awaiting this post... Looking forward to the privbar

MakeMeAdmin - temporary admin for your Limited User account

Donna's SecurityFlash — Sat, 24 Jul 2004 18:10:00 GMT

re: MakeMeAdmin -- temporary admin for your Limited User account

Daniel Schlößer — Sun, 25 Jul 2004 20:08:00 GMT

On a German Windows one has to change in the batch file the group name from Administrators to Administratoren ;-) It works perfect now!

re: MakeMeAdmin -- temporary admin for your Limited User account

Wes — Mon, 26 Jul 2004 00:00:00 GMT

Very informative post for me. Thanks for the lesson, now maybe I will try to run as non-admin.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Mon, 26 Jul 2004 04:23:00 GMT

Daniel, thanks for the note. I should have mentioned that the script can be customized, for localization or any other reason. Thanks for pointing it out.

running as non-admin

Eric Jarvi — Mon, 26 Jul 2004 22:35:00 GMT

re: MakeMeAdmin -- temporary admin for your Limited User account

ToddM — Tue, 27 Jul 2004 03:00:00 GMT

I had to make a change or five to get the batch file to handle user names with embedded spaces. Wasn't exactly a trival change, either, given the existence double quotes already in the cmd file. (And, no, just using \" didn't help, either). Once I've got it cleaned-up, I'll post here.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Tue, 27 Jul 2004 03:46:00 GMT

ToddM - thanks, good point. Does this work for you? (I've tried it and it seems to work for me...) Mostly just replace instances of %1 with "%*". I've only tried this with the current username with an embedded space - didn't try domain/workgroup name with embedded space, or a renamed admin account with an embedded space.

@echo off
setlocal
set _Admin_=%COMPUTERNAME%\Administrator
set _Group_=Administrators
set _Prog_="cmd.exe /k Title *** %* as Admin *** && cd c:\ && color 4F"
set _User_=%USERDOMAIN%\%USERNAME%

if "%1"=="" (
runas /u:%_Admin_% "%~s0 %_User_%"
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %* to group %_Group_%...
net localgroup %_Group_% "%*" /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session...
runas /u:"%*" %_Prog_%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %* from group %_Group_%...
net localgroup %_Group_% "%*" /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal

re: MakeMeAdmin -- temporary admin for your Limited User account

Ari Pernick — Fri, 30 Jul 2004 03:22:00 GMT

"iexplore.exe -new" will do what you want without setting any special settings.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Fri, 30 Jul 2004 03:48:00 GMT

Ari - what does -new do for iexplore.exe? Wasn't that for starting IE 4.x in a new process? Starting iexplore.exe always results in a separate process now.

re: MakeMeAdmin -- temporary admin for your Limited User account

Howard Hoy — Mon, 02 Aug 2004 20:54:00 GMT

We use a similar process here for our Zenworks Deployments. In some instances the Zenworks tool will not properly elevate a user which then requires us to add a user to the admin group, then remove them. I have devloped a tool called Authenti-key for NT that allows you elevate installs as an administrator. IT works on 95 - XP. You can create an elevated CMD window and perform any admin task from there. Similar to SU and can be used in scripting.

Here is a link.

http://downloads-zdnet.com.com/Authenti-Key-for-NT-AKEY-/3000-2094-10153448.html?tag=lst-0-1

Great work on the script. !!

Installing software as Admin?

TrackBack — Wed, 11 Aug 2004 06:06:00 GMT

Use MakeMeAdmin.cmd when installign software

Installing software as Admin?

TrackBack — Wed, 11 Aug 2004 06:09:00 GMT

Use MakeMeAdmin.cmd when installign software

MakeMeAdmin script

Extra88 — Wed, 11 Aug 2004 17:31:00 GMT

This is an interesting script. It has some room for error but I have an idea about how to avoid that. Some fellow who seems to work for Microsoft in some capacity has written a batch script called MacMeAdmin that...

re: MakeMeAdmin -- temporary admin for your Limited User account

Marc Poljak — Wed, 11 Aug 2004 17:47:00 GMT

thanks a lot for this superb script. I was looking for a solution that addresses the issues with "RunAs" for a long time.

re: MakeMeAdmin -- temporary admin for your Limited User account

Carolh — Wed, 11 Aug 2004 19:33:00 GMT

Great utility. The one problem we ran into is that we have the "installation" file on a netware server, and can't point to the network drive mapping.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Wed, 11 Aug 2004 20:09:00 GMT

Carolh - Correct. SMB sessions (e.g., NET USE connections and drive mappings) belong to a logon session. Since MakeMeAdmin runs in a separate logon session from your main shell, it doesn't automatically get the shell session's drive mappings. (I assume the same or similar is true with IPX/SPX stuff.) You can create a new connection within the MakeMeAdmin session using NET USE or the NetWare equivalent.

re: MakeMeAdmin -- temporary admin for your Limited User account

Toby Ovod-Everett — Wed, 11 Aug 2004 20:34:00 GMT

Clever - I was wondering how you were going to get around the logon problem, but the minute you said "creates a new logon session" I knew where you were going! Cute!

That said, I'm personally a bit queasy about any RunAs style solutions - because the secure and insecure windows are in the same (ok, I'm hunting for the term, what do you call the ?contexts? ?windows sessions? that which every logged on user under XP fast user switching has one of - I'll call them window sessions for now - I know there's a proper term for them) window session, there is a greater chance of cross-application attacks through SendMessage, PostMessage, screen grabs, etc. Personally, I'm pretty happy with the Fast User Switching approach on my home machine (which obviously isn't a domain member) - I use the account "Admin" (created) for administrative stuff and then there are personal accounts for my wife and I, guests, etc. With 768 MB of RAM, I rarely run into resource issues, even with up to seven simultaneous sessions logged in. It only takes ten seconds to hit Windows-L, click, type in the Admin password, and go do something.

Of course, to be safer, I should never su to root on my Linux box (since anyone who manages to get access to my personal account could easily alias su to something else), etc. I do try to change all my passwords whenever I am forced to authenticate from a machine I don't trust (i.e. Internet cafes in airports).

--Toby Ovod-Everett

MakeMeAdmin -- temporary admin for your Limited User account

Lockergnome's Tech News Watch — Wed, 11 Aug 2004 23:24:00 GMT

"Common scenario: you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.) . When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account. You quickly realize" that this is a pain in the posterior! Here's how to go about it much easier and without the limitations....

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Thu, 12 Aug 2004 04:54:00 GMT

Toby - I've never had my code called "cute" before. Thanks?

The term you are looking for in the 2nd paragraph is "desktop" - as in, the Win32 construct that is defined within a Window Station. (See http://msdn.microsoft.com/library/en-us/dllproc/base/desktops.asp) . Any program (more accurately, any thread) running on a particular desktop can access any window running on that desktop, send it messages, simulating keystrokes and mouse events, etc. When you use RunAs, you're creating a new program running in a different security context, but on the same desktop, so the risk you identified exists. With Fast User Switching, you are switching to a different desktop and are not vulnerable to those kinds of attacks. I pointed to Fast User Switching in an earlier post called "The easiest way to run as non-admin"; it is IMO also the most secure way to run as non-admin for the reason you point out. However, FUS isn't available for domain-joined machines.

re: MakeMeAdmin -- temporary admin for your Limited User account

Marc Poljak — Thu, 12 Aug 2004 10:28:00 GMT

Aaron - is there a way to avoid the first command prompt for the local administrator? I would find it great if you know a method how to pipe it, like for example: echo YourSecretPassword| runas /u:%_Admin_% "%~s0 %_User_%" ?

re: MakeMeAdmin -- temporary admin for your Limited User account

Sean McLeod — Thu, 12 Aug 2004 10:58:00 GMT

I looked at my Local Security Policy on my XP machine and "System objects: Default owner..." is set to "ObjectCreator". However when I check the ownership of files, e.g. Adobe Acrobat Reader and others under "Program Files" the owner is my local machine's administrators group and not my account (which currently is part of the administrators group).

My machine isn't part of a domain.

Rage on Omnipotent » Make me admin

TrackBack — Thu, 12 Aug 2004 13:39:00 GMT

Rage on Omnipotent » Make me admin

re: MakeMeAdmin -- temporary admin for your Limited User account

Sean McLeod — Thu, 12 Aug 2004 18:57:00 GMT

I guess another combo option to get the benefits of running your admin session in a separate desktop using FUS and to use the same user account functionality that MakeMeAdmin offers is to try the following:

Use FUS to login into the Administrator account.
Have a script in the Administrator's startup folder that:
- Kills the explorer.exe process
- Runs a tweaked MakeMeAdmin script to create a new explorer process with your regular account added to the administrators group

Now any further processes that are launched by this instance of explorer will be running with your account in the administrators group.

For those people who can't use FUS since they're part of a domain the other option to look into with XP SP2 is the ability to have an active console user and an active RDP session. There was talk that this would be added in XP SP2 specifically to support the use of Mira/SmartDisplay devices.

If this is enabled in XP SP2 then you could use the above combination just replacing the FUS component with an RDP session back to your localhost.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Fri, 13 Aug 2004 07:13:00 GMT

Sean McLeod, re ownership of files. I just checked an XP SP1 box that I never changed the default owner setting on. DIR /Q in the Program Files folder shows a mix of specific account and BUILTIN\Administrators ownership. I'm going to take a completely wild guess here and suggest that the ones that show BUILTIN\Administrators were created/installed by the Windows Installer or Automatic Updates services running as System.

Re your FUS replacement - I'd call that "Scary User Switching". I could come up with something that kept the same acronym, but I'd probably be banned from blogging! :-) Seriously, I would expect so many things to break that way, not to mention the security problem of previously running apps trying to do things through the shell - if they manage to do so at all, those things will run with elevated privilege. RDP back to localhost would be good - not as good as FUS since it would still share the same desktop, but could be good.

FWIW, I made a brief attempt to take the old DESKTOPS SDK sample app and rework it to support different contexts on different (Win32) desktops. It kinda sorta worked, but failed in odd ways, too.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Fri, 13 Aug 2004 07:27:00 GMT

Marc Poljak: as far as I know, RUNAS.EXE does not let you enter passwords through stdin. This is probably to discourage the practice of storing passwords in plain text files.

re: MakeMeAdmin -- temporary admin for your Limited User account

Sean McLeod — Fri, 13 Aug 2004 14:05:00 GMT

In terms of RDP back to the localhost, if you're logged onto the console as userX and then RDP back as admin the terminal services component will create a separate desktop for the admin logon session. So I'm not sure why you say it'll share the same desktop.

Only issue is that I think the multiple session option will only be available for Windows Media Center Edition machines with SP2 and not regular Windows XP Pro with SP2.

re: MakeMeAdmin -- temporary admin for your Limited User account

Sean McLeod — Fri, 13 Aug 2004 15:42:00 GMT

In terms of "Scary User Switching" ;-) the only 'previously running apps' would be apps started by the 1st instance of Explorer running apps in the admin's startup group etc.

These are the same apps that would run anyway when you use FUS and login in as admin. So I'm not sure what 'security' issue you're thinking of in terms of these now communicating with the 2nd instance of explorer running as your regular account with admin group privileges since they already have admin privilige so could do just about anything anyway.

I was assuming that your admin account wouldn't have loads of these and that 99% of the actual apps that you want to run with admin privileges like user manager etc. you would launch via the new instance of explorer and these would have a token of consisting of your regular account plus the admin group and be the same as the 2nd instance of explorer. So there shouldn't be any 'interaction' problems between these an explorer.

If you definitely didn't want there to be any chance of mixing apps running under the admin account with apps running under your regular account as part of the admin group then another option is a specialised userinit process for your admin FUS session.

Modify WinLogon's userinit registry value to run 'customuserinit.exe' instead of the standard 'userinit.exe'. In this custom userinit program check to see what our current user is, if it isn't administrator then just run the standard userinit.exe and quit.

If the current user is administrator then use a version of your MakeMeAdmin concept to use runas to run the standard userinit.exe with a token of your standard account in the admin group. The standard userinit will then launch explorer and so all processes now will be running with the same token (standard account in the admin group).

So you'll now have 2 FUS sessions, one running as your standard user account without admin privileges and another running as your standard user account with admin privileges on separate desktops.

The one potential downside I see to the MakeMeAdmin concept is that you may have virus/spyware stuff installed as a browser helper object (BHO) or some other variation. But they don't have admin rights which is great since you're not part of the admin group. However if you then use MakeMeAdmin to create a process with yourself in the admin group and then you run an instance of IE now suddenly the spyware BHO will be loaded by this new instance of IE and will now be running with admin rights.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Fri, 13 Aug 2004 16:10:00 GMT

Sean McL, re RDP back to localhost: I'm referring to the fact that your RDP client app (typically mstsc.exe) is on the same desktop as your non-privileged logon. Unprivileged apps could (at least theoretically, I haven't tried it) send messages to the mstsc window to direct key and mouse events to the remote desktop.

I'll tackle your next post after I get some coffee :-)

re: MakeMeAdmin -- temporary admin for your Limited User account

Will Brown — Sat, 14 Aug 2004 21:24:00 GMT

Aaron Margosis: I love this blog, thank you so much for the time and effort!

Aaron && Sean: Considering the whole same desktop/message issue (how hard would it be for malware to find a process with admin rights? furthermore why isnt there any security for messaging), it seems that Sean's solution, Scary User Switching, as its now officially known :D, seems to be the best one. I'm not sure what the 'previously running apps' are either. They only thing they could be are things started by user logon scripts. According to this <http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/regentry/12330.asp> the only things userinit does are run logon scripts, establish network connections, and then start explorer. so if your special MakeMeAdmin account isnt running anything with loginscripts, the first thing to run should be explorer.

One thing I think might be better. Instead of making a custom userinit application (which would need to call userinit anyway to reestablish network connections), couldn't we set user specific paths to explorer, by changing Shell in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot from "SYS:Microsoft\Windows NT\CurrentVersion\Winlogon" to "USR:Software\Microsoft\Windows NT\CurrentVersion\Winlogon". Then create the Shell entry in that key for each user and point set them to explorer.exe. Except for your special MakeMeAdmin account, set it to the properly modified MakeMeAdmin.cmd.

Marc Poljak: storing the admin password in the file would defeat the purpose. i don't see any prob with using the savecred option to eleminate having to type in the password for the current user account though. it would be saved in the admin's credentials folder.

re: MakeMeAdmin -- temporary admin for your Limited User account

Sean McLeod — Sun, 15 Aug 2004 12:41:00 GMT

Will the one issue with your approach is that any processes launched by the login scripts will now be running with the Admin token and not the regular user account in the admin group. Also the network connections will be established with the admin account.

So you'll have a mix of accounts which is what I was trying to avoid with the custom userinit approach.

re: MakeMeAdmin -- temporary admin for your Limited User account

Marc Poljak — Sun, 15 Aug 2004 14:45:00 GMT

Will Brown: Yes, I know that storing a password in a plain text file is a very bad idea, but there are tools with which you can transform a BAT file into a EXE and then obfuscate the code in order to prevent the retrieval of the password via a hex editor. With a script like MakeMeAdmin you can launch a new command shell with elevated privileges or you can launch all kind of things through a logon script. This is useful if you do not have Group Policies and Active Directory at your disposal or an installed "agent" on the client, which runs under the local system account.

But, with the /SAVECRED option I have the result which I was looking for (well, not quite what I wished, but it works and that's important!). So, thank you for getting me on the right track.

Cheers,

Marc Poljak

re: MakeMeAdmin -- temporary admin for your Limited User account

Vittorio Pavesi — Mon, 16 Aug 2004 15:16:00 GMT

I experienced a similar problem with right delegation and I developed a little utility called MyRunAs that allow you to run a program impersonating another user (like Windows RunAs) but it generate an executable where there are the user credentials and the program name crypted.
Take a look on http://spazioinwind.libero.it/vittoriop/myprojects.html
Regards

Vittorio

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Mon, 16 Aug 2004 20:20:00 GMT

Sean McLeod - The first time I read your post about what I called "Scary User Switching" I misunderstood exactly what you were doing. I guess it might work - have you tried it?

Note that once you apply SAVECRED, the creds can be used with other apps as well, not just the one you specified.

re: MakeMeAdmin -- temporary admin for your Limited User account

Sean McLeod — Tue, 17 Aug 2004 13:35:00 GMT

Aaron, yes what I was proposing was really just a combination of your suggestions with hopefully the best benefits of both, i.e. using a separate admin account with FUS and using MakeMeAdmin to create a logon token that is a combination of your regular (LUA) in the admin group (call this your 'MakeMeAdmin' account, although it's not really a separate distinct user account).

So you end up with a separate desktop session and all the added security benefits that brings but at the same time instead of running processes in this desktop as the administrator account and the potential hassles that brings with network credentials, installing software etc. you run as your special 'MakeMeAdmin' account.

I'll test it out on a test machine in the next couple of days and let you know how it works, just a bit busy with some 'real' work ;-)

re: MakeMeAdmin -- temporary admin for your Limited User account

Great! — Thu, 19 Aug 2004 00:44:00 GMT

I was wondering what it would take make this into a SHell extension to create a kind of SUPER_Runas feature. Would be awesome to be able to right-click on an app/shortcut and run as any user elevated to Admin or poweruser etc.

re: MakeMeAdmin -- temporary admin for your Limited User account

Great! — Thu, 19 Aug 2004 00:47:00 GMT

Low-privileged accounts and non-Windows platforms

.net DElirium — Sun, 29 Aug 2004 20:40:00 GMT

Will's Blog - Adventures of an IT Grad » Running as Limited User and Having temporary admin priveledges

TrackBack — Fri, 03 Sep 2004 05:07:00 GMT

Will's Blog - Adventures of an IT Grad » Running as Limited User and Having temporary admin priveledges

Nerhood Weblog - Digital Diary - Family, Work, Technology, Books and Media » MakeMeAdmin – temporary admin for your Limited User account

TrackBack — Fri, 03 Sep 2004 23:48:00 GMT

Nerhood Weblog - Digital Diary - Family, Work, Technology, Books and Media » MakeMeAdmin – temporary admin for your Limited User account

reuteras.com » Bra verktyg f?r Windows

TrackBack — Sun, 05 Sep 2004 23:04:00 GMT

reuteras.com » Bra verktyg f?r Windows

Take Me to Your Leader

Misc. Ramblings — Fri, 17 Sep 2004 21:06:00 GMT

Whether you use Windows or Linux, each provides for the creation of users with different security privileges. That is, the ability to execute certain functions. In Windows, the highest level is Administrator and in Linux it's called root. For the purpose of this post, I'll concentrate on Windows for...

I had more problems after switching

Martin's WebLog — Thu, 23 Sep 2004 09:40:00 GMT

Windows Update and least privlege

Deep Thoughts... — Thu, 14 Oct 2004 21:02:00 GMT

PrivBar - An IE/Explorer toolbar to show current privilege level

Lockergnome's IT Professionals — Mon, 25 Oct 2004 21:53:00 GMT

Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions...

Taking the Plunge

Zupancic Perspective — Sat, 13 Nov 2004 07:02:00 GMT

Taking the Plunge

Zupancic Perspective — Wed, 17 Nov 2004 00:56:00 GMT

RE: Das Henne-Ei Problem oder

Dirks WebLog — Thu, 18 Nov 2004 14:32:00 GMT

Developing software for Windows without being an admin

Aali's blog — Sun, 05 Dec 2004 00:51:00 GMT

Developing Non-Admin: File Ownership on Windows Server 2003

Geek Noise — Tue, 28 Dec 2004 02:18:00 GMT

How about a Shell Extension for MakeMeAdmin?

Michael Howard's Web Log — Wed, 05 Jan 2005 23:12:00 GMT

So that is what they were -- AntiSpyware Alerts

Robert Hurlbut's .NET Blog — Fri, 14 Jan 2005 00:49:00 GMT

re: Misconceptions about Least Privilege

.net DElirium — Thu, 27 Jan 2005 03:51:00 GMT

Least-Privileged Users, Add/Remove Programs and System Management Server

strawberryJAMM's Security and User Experience WebL — Thu, 27 Jan 2005 19:48:00 GMT

Enterprise Library 2005 available

Robert Hurlbut's .NET Blog — Sat, 29 Jan 2005 07:45:00 GMT

MakeMeAdmin -- temporary admin for your Limited User account

David Christiansen's Weblog — Sun, 30 Jan 2005 16:40:00 GMT

Running as a non-Administrator

Casa d — Mon, 31 Jan 2005 23:43:00 GMT

Running as a non-Administrator

Casa d — Mon, 31 Jan 2005 23:45:00 GMT

Low-privileged accounts and non-Windows platforms

.net DElirium — Fri, 04 Feb 2005 23:47:00 GMT

Managing Power Options as a non-administrator

Aaron Margosis' WebLog — Thu, 10 Feb 2005 07:58:00 GMT

Running as non-admin

Wes' Puzzling Blog — Fri, 11 Feb 2005 07:24:00 GMT

chris.webdevlab.com » The Non-Admin Blog

TrackBack — Tue, 15 Feb 2005 17:48:00 GMT

chris.webdevlab.com » The Non-Admin Blog

re: Making life as a LUser more livable

blog://brycem@microsoft.com — Tue, 01 Mar 2005 20:43:00 GMT

More Great Non-Admin Resources

Geek Noise — Wed, 02 Mar 2005 06:23:00 GMT

MakeMeAdmin follow-up

Aaron Margosis' WebLog — Fri, 11 Mar 2005 23:48:00 GMT

MakeMeAdmin script updates, and a security setting you should change

Table of contents, Aaron Margosis' non-admin blog

Aaron Margosis' WebLog — Tue, 19 Apr 2005 03:22:41 GMT

Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

Running with a clean machine as non-admin

John Watson — Tue, 03 May 2005 03:26:04 GMT

Installing .inf files if you are living the non-admin lifestyle

Jason Haley — Mon, 30 May 2005 18:23:16 GMT

Installing .inf files if you are living the non-admin lifestyle

re: MakeMeAdmin -- temporary admin for your Limited User account

Yang — Sun, 05 Jun 2005 23:23:30 GMT

I learn something usefull today!

Spread the LUA joy

tonyso — Fri, 10 Jun 2005 19:12:43 GMT

Get your friends and family, all those folks that come to you for computer help once their machines have...

Software I have on my computer

venkatna's WebLog — Wed, 15 Jun 2005 21:57:20 GMT

I got a shiny new tablet (Toshiba M4) and spent some time installing all the software that I usually...

Need Security? - Running Windows with Least Privilege!

Daniel van Soest — Tue, 05 Jul 2005 19:11:40 GMT

Ok, ik heb vandaag wat sessies gevolgd over de security improvements in het Longhorn timeframe en hoe...

MakeMeAdmin -- temporary admin for your Limited User account

David Christiansen — Mon, 11 Jul 2005 01:59:24 GMT

Very handy tool for those of us that rightly develop under the 'least privileged' user context.

MakeMeAdmin...

MakeMeAdmin -- temporary admin for your Limited User account

David Christiansen — Mon, 11 Jul 2005 01:59:33 GMT

Very handy tool for those of us that rightly develop under the 'least privileged' user context.

MakeMeAdmin...

Least privileged user access for developers

Nigel Watling — Sat, 30 Jul 2005 00:55:06 GMT

OK, the last entry was a teaser for a blog entry or two on what developers can and IMHO should do regarding...

Switching Source Code Control Providers as Non-Administrative User

Zupancic Perspective — Mon, 01 Aug 2005 05:47:18 GMT

Running with a clean machine as non-admin

John Watson — Thu, 18 Aug 2005 20:08:20 GMT

re: MakeMeAdmin -- temporary admin for your Limited User account

ken — Thu, 25 Aug 2005 23:03:47 GMT

Anyone know how to gain Administrative Privilages with a Limited Account if you don't know the password?

Links

Murat Uysal — Mon, 05 Sep 2005 21:52:24 GMT

Links

Murat Uysal — Mon, 05 Sep 2005 21:54:52 GMT

Smart Client - Windows Forms

Murat Uysal — Mon, 05 Sep 2005 23:01:11 GMT

re: MakeMeAdmin -- temporary admin for your Limited User account

Matt — Sat, 05 Nov 2005 22:46:11 GMT

How can you get around typing in the local administrator password?

re: MakeMeAdmin -- temporary admin for your Limited User account

vxcyvxv — Wed, 16 Nov 2005 05:30:37 GMT

Simply not?

Well, there's another way to get this working without needing to pass any password at all.

Let run a priviledged service which accepts requests from users to spawn a certain process, but only if it is on a whitelist - just like suid-Bit under Linux.

There's are two alternatives known: SuSrv+SrvAny with two instances, and the commercial (free for personal use) PolicyMaker Application Security, which allows a certain fine tuning on what access should be actually granted.

re: MakeMeAdmin -- temporary admin for your Limited User account

Paul Blair — Sat, 21 Jan 2006 00:26:21 GMT

This little utility inspired me to write a service based app that allows you to launch any program as yourself with an admin token. If anyone want's to try it out and comment, you can grab it here....

http://home.toadlife.net/blog/weblog.pl?trackback=1

Thanks Aaron. :)

re: MakeMeAdmin -- temporary admin for your Limited User account

Archos — Tue, 31 Jan 2006 14:57:03 GMT

it does'nt work with me...it's asking for admin password which i don't know.

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Tue, 31 Jan 2006 20:13:17 GMT

Archos - that is correct. You need to have the admin password in order to do this. Otherwise it would be an unauthorized elevation of privilege!

re: MakeMeAdmin -- temporary admin for your Limited User account

Mike — Wed, 01 Feb 2006 20:17:52 GMT

Not sure what I'm doing wrong, but running this gives me an error after entering the first local admin password:

Enter the password for ADMINCOMP\Administrator:
Attempting to start C:\DOCUME~1\MSMITH~1.DOM\Desktop\MakeMeAdmin.cmdkeMeAdmin.cm
d DOMAIN\msmith as user "ADMINCOMP\Administrator" ...
RUNAS ERROR: Unable to run - C:\DOCUME~1\MSMITH~1.DOM\Desktop\MakeMeAdmin.cmdkeM
eAdmin.cmd DOM\msmith
87: The parameter is incorrect.

re: MakeMeAdmin -- temporary admin for your Limited User account

Mike — Wed, 01 Feb 2006 20:39:59 GMT

Well running it from the root of the c drive works fine. Seems as though it just refuses to run properly from the desktop.

re: MakeMeAdmin -- runas Doesn't work with password in RTL language

Yinon Ehrlich — Mon, 06 Feb 2006 21:22:24 GMT

I cannot use your batch-files, nor a simple runas.exe.
My administrator user name and password are in Hebrew. Moreover, the Administrator user name consists of more than one word. All of this is fine for me, it make me feel more secure and it works with "Shift-right-click-run-as".
But: runas does not accepts it. (I'm using Windows XP Home Ed. SP2).
Anyone has a suggestion ?

Thanks

More LUA

Wintellog — Thu, 09 Feb 2006 04:33:33 GMT

More LUA

Wintellog — Thu, 09 Feb 2006 04:37:07 GMT

re: MakeMeAdmin -- temporary admin for your Limited User account

Vatroslav Mihalj — Fri, 24 Feb 2006 17:24:23 GMT

Try using quoatation marks for domain accounts, to avoid interpreting "\" as directory separator in batch scripts

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Fri, 24 Feb 2006 17:44:15 GMT

Vatroslav Mihalj - I'm not sure what problem you're trying to solve. The script should already have quotes in the correct places - see where "%*" is used in the second part of the script.

re: MakeMeAdmin -- temporary admin for your Limited User account

Mike Logsdon — Fri, 03 Mar 2006 23:44:57 GMT

I have a laptop with only one user.
The past user, removed ALL users, except for
the one guy getting the laptop.
He is a Limited user, and we need to make
him a Administrator and add a USB printer.
Do you think this MakeMeAdmin will help?
Thanks
Mike Logsdon
mlogsdon@senate.state.mo.us

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Sat, 04 Mar 2006 00:02:03 GMT

Mike Logsdon - Rather than make the new user an admin, log on with the Admin account and install the printer from there. I assume the previous user did not delete the built-in Admin account. If there truly are no admin accounts left on the computer, reformat and reinstall Windows. Note that in order to use MakeMeAdmin, you need to have the password for an admin account, and neither the Admin nor the User account can be blank-password accounts.

re: MakeMeAdmin -- temporary admin for your Limited User account

Jürgen Barthel — Wed, 08 Mar 2006 00:42:41 GMT

Have written a little tool based on Arons idea.

Comments please here or to fli4l@online-barthel.de

http://www.online-barthel.de/Download/makemeadmin/MakeMeAdmin.exe

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron H. — Mon, 13 Mar 2006 20:33:27 GMT

Aaron, regarding Mike Logsdon's concerns, we have the same need. I thought when you add a local printer, it only installs for that user. If this is true, when you log on to the machine as the local admin, install the printer, log off and log on as the original user, then the local printer would not be listed.

Am I correct in thinking that the local printer is user specific?

Thanks!
Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Brad — Sat, 25 Mar 2006 00:40:44 GMT

Aaron H.--

"Local Printers"--those that you physically connect to your computer, as well as those for which you add a port (e.g. Unix Print Services/IP Printing)--exist for all users. These must be installed by an administrator.

"Network Printers," for instance those shared over a Domain/SMB can be installed by anyone. Those printers exist only for the user who installs it.

Hope this helps...

re: MakeMeAdmin -- temporary admin for your Limited User account

LyndonB — Sun, 26 Mar 2006 01:46:11 GMT

Why couldn't this be used to make an attack on Windows from a Limited User Account especialy for users with blank admin passwords

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Mon, 27 Mar 2006 06:37:26 GMT

LyndonB, this tool does not enable elevation-of-privilege attacks. Several points:
1. You need to have the admin password in order to use MakeMeAdmin;
2. This tool will not help you guess or crack the admin password if you do not have it;
3. If you have the admin password and you're not authorized to have it, you can just log in as the admin - you don't need to use this tool;
3. If the local admin account has a blank password, you can't use RunAs with that account - blank-pwd accounts can be used only for interactive logon, not for network logon or runas. And again - if the admin account has a blank password AND you have access to the console, you can log on as the admin at the logon screen.
HTH

Fixing "LUA Bugs", Part II

Aaron Margosis' WebLog — Mon, 27 Mar 2006 19:34:31 GMT

A systematic approach for working around LUA bugs that avoids unnecessary exposure - "the rest of the story"

re: MakeMeAdmin and RTL languages

Aaron Margosis — Thu, 06 Apr 2006 18:01:12 GMT

Yinon Ehrlich, sorry for the delay in responding. Two things:
1. The version of MMA that is currently posted supports usernames containing spaces; but
2. This is what I've been told about console apps and right-to-left languages like Hebrew:
"Console apps don't support complex script languages, and this is by design. For all console apps on such languages we fall back to English. Now since the administrator user name and password are both in Hebrew the option to use Runas is not valid."

Steve Mullen’s Blog » MakeMeAdmin

Steve Mullen’s Blog » MakeMeAdmin — Mon, 10 Apr 2006 17:11:10 GMT

PingBack from http://skmullen.wordpress.com/2006/04/10/makemeadmin/

re: MakeMeAdmin -- temporary admin for your Limited User account

dhananjay singh — Fri, 28 Apr 2006 12:41:46 GMT

Dear Aaron,

I find many big enterprises admins apply this technique during some software installation, but there is down side of it.
It makes non admin user temporarily admin, which make security hole, now user can do anything like creating new local admin on that machine and letter use it as he want :)

But any on personal machine this is very useful and secure technique.

Thanks
Dhananjay

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Fri, 28 Apr 2006 16:39:06 GMT

dhananjay singh - There are two sides to the "non-admin" issue: users who are trusted to know when/how to elevate and do so judiciously, and users who are not trusted to make those decisions. MakeMeAdmin definitely falls into the first group. On my Table of Contents page I have separated out my posts based on that distinction: http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

> n3wjacks blog » Blog Archive » running windows as a non-admin

> n3wjacks blog » Blog Archive » running windows as a non-admin — Fri, 28 Apr 2006 23:16:05 GMT

PingBack from http://n3wjack.net/index.php/2006/03/10/running-windows-as-a-non-admin/

re: MakeMeAdmin -- temporary admin for your Limited User account

cibgiu — Wed, 03 May 2006 19:51:27 GMT

Tool to pass crypt admin password: http://robotronic.de/runasspc/

Bye

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Wed, 03 May 2006 20:03:13 GMT

cibgiu - see caveats about that approach here:
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx

re: MakeMeAdmin -- temporary admin for your Limited User account

Sidney — Thu, 11 May 2006 19:00:10 GMT

I can not get this to work. I get the bright dos window saying Admin but when I go to install it says Im not a admin.

Please help

re: MakeMeAdmin -- temporary admin for your Limited User account

Aaron Margosis — Fri, 12 May 2006 04:40:36 GMT

Sidney - what are you trying to install? Note that not everything started from an elevated process will remain elevated: Look for the section called "When RunAs won't work" in this post:
http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx

Calling all non-admin SharePoint developers... uh, help?

Fear and Loathing — Mon, 22 May 2006 19:03:57 GMT

I try to be a good citizen, I really try. I tried to take the plunge today to create a non-admin user...

re: MakeMeAdmin -- temporary admin for your Limited User account

Coby — Thu, 25 May 2006 04:52:29 GMT

Please e-mail me back at dulitzki322@gmail.com, I'm a limited account and I don't have access to the admin's account, is there any way, maybe through cmd, to become an admin, or at least to make another admin account from a limited account. If not is there any way to find out an admin's password?

Issues with installing MSBee as a non administrator user

Bertan's Blog — Fri, 16 Jun 2006 21:25:37 GMT

MSBee requires administrative rights to be installed and same thing is true for .Net Framework 1.1 SDK...

Running VSTS4DB as a Non-Admin User

James Dawson's Blog — Mon, 19 Jun 2006 19:21:07 GMT

I'd heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database...

Another MakeMeAdmin implementation

Gabor — Mon, 19 Jun 2006 21:05:35 GMT

A new project has been just launched recently called sudoWn. It is based on the original MakeMeAdmin way but it is developed further for desktop PC users. You can find the project page @ http://sudown.mine.nu

REparsed » Blog Archive » Secure Surfing Six Months Later

REparsed » Blog Archive » Secure Surfing Six Months Later — Sat, 24 Jun 2006 19:52:14 GMT

PingBack from http://reparsed.net/2006/06/24/secure-surfing-six-months-later/

MakeMeAdmin -MadeMeAdmin

Denno — Fri, 30 Jun 2006 08:46:19 GMT

I had to change the system on my computer but did not have access to an admin account thanks to your help i could change the setting (that only could be accessed by an admin) and the computer doesn't stuff up anymore

thanks denno

jon » Blog Archive » Change group membership token for user

jon » Blog Archive » Change group membership token for user — Thu, 06 Jul 2006 22:13:32 GMT

PingBack from http://jonc.wordpress.com/2006/07/06/change-group-membership-token-for-user/

re: MakeMeAdmin -- temporary admin for your Limited User account

ahmad azry — Sat, 05 Aug 2006 18:36:55 GMT

how do i make my limited account to a admin account without a admin password...

You can't. If that were possible there would be no reason to have limited accounts.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Rage — Tue, 15 Aug 2006 14:04:53 GMT

Is there a way to gain the orginal password? after the admin password change.

No.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Les Weston — Thu, 17 Aug 2006 17:19:04 GMT

Hmmm. I mistakenly tested MakeMeAdmin while already logged into my Admin account. Now my Admin account has mysteriously lost its Administrator privileges (it is now showing up as a Limited Account). Is there any way to recover from this situation?

I tried a System Restore from the "Last known good configuration", but I had already rebooted before I noticed the problem, so the last "Good" configuration was no better. And my 'Get Out Of Jail Free' card (using System Restore to select a restore point that predates the problem) can't be used because System Restore needs to run from an account with Administrator privileges. Catch 22?

This is on a system running XP Pro SP1. I'm half way through installing SP2 in a separate partition, so it's not a huge problem if this installation is beyond repair. But it does make me wary of trying MakeMeAdmin again.

-Les.

That problem has been noted before. Some (at least partial) solutions are discussed in the comments to the follow-up post, particularly here and here.

One can only do so much with a .cmd script. Maybe one of these days I'll make a PowerShell version of the script.

-- Aaron

WCF Troubles « jeff handley

WCF Troubles « jeff handley — Sat, 26 Aug 2006 09:57:20 GMT

PingBack from http://jeffhandley.wordpress.com/2006/08/21/wcf-troubles/

MakeMeAdmin And Console MatchMaker

you've been HAACKED — Wed, 30 Aug 2006 21:55:36 GMT

MakeMeAdmin And Console MatchMaker

re: MakeMeAdmin -- temporary admin for your Limited User account

Diane Kepo'o — Mon, 11 Sep 2006 22:34:05 GMT

Hi,
I was wondering if you can humbly post the command line that will automatically input the administrator's password. We're trying to eliminate any user interaction when it comes to logging in as the local administrator.

Thanks so much for the help!

Diane

Windows does not provide such a tool. Runas.exe accepts passwords and smartcard PINs only through keyboard input. I'm not on the Windows team and never have been so I don't know for sure, but I suspect the reason for this is to discourage people from putting plaintext passwords in plaintext script files. For alternatives, see option #5 in Fixing LUA Bugs Part II, but please take note of the risks involved.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

arjen — Mon, 18 Sep 2006 12:33:43 GMT

How can I use it to uninstall programs or application?
Can someone help me with this.... tnx!

From a MakeMeAdmin command prompt, you can get to the Add/Remove Programs applet by running "appwiz.cpl".

-- Aaron

Running VSTS4DB as a Non-Admin User

James Dawson's Blog — Wed, 20 Sep 2006 02:22:37 GMT

I&#39;d heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database

re: MakeMeAdmin -- temporary admin for your Limited User account

bob — Sat, 23 Sep 2006 13:57:49 GMT

I am an admin and I need to find out a limited user's password without changing it or them knowing. How?

Sorry, there is no interface to support that. Why do you need to do that?

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Raghavendra — Tue, 26 Sep 2006 16:49:20 GMT

same as secondary login......
end task user's explorer.exe...and then use
****runas /user:administrator explorer.exe****
and there you will login as administrator...
do the admin tasks and logoff from administrator .......
now end task and start explorer.exe for user again...and you see that opened applications also wont get affected

I've posted a better solution here that doesn't require killing your existing explorer.exe instances. And, BTW, the idea you proposed doesn't address the scenarios that MakeMeAdmin (the subject of this post) was designed for.

-- Aaron

Least Privilege

Stefan Olsson — Fri, 29 Sep 2006 14:14:47 GMT

Problematiken rörande lokala administratörer, man stöter allt för ofta på administratöerer som löser...

re: MakeMeAdmin -- temporary admin for your Limited User account

Marco Pires — Wed, 11 Oct 2006 12:08:14 GMT

Hi , this is a useful tool.

I work in a large construccion company, and we use (in the headquarters) VNC for acessing computers located outside in numerous construccion sites. On these sites , the Pc's are in workgroups with acess to the domain network. What happens sometimes : people go from site to site , and have to change workgroup. Sometimes when you do this , you stop having access to VNC because the windows xp firewall blocks it . Is there a way to run MakeMeAdmin with the "netsh firewall set AllowedProgram" over ip or computer name?

If not i'll just have to go there...

Thanks.

If the remote system is blocking remote administration, then you're not going to be able to change the firewall settings remotely.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Scott — Tue, 17 Oct 2006 12:25:12 GMT

Make one where you dont need ther administrators password because i stuffed up my computer by changing the admins password too fast =(

You're asking for a hacker tool. MakeMeAdmin is not a hacker tool, and I don't make hacker tools. :-)

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Earl Savino — Sun, 29 Oct 2006 18:37:30 GMT

Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app.

re: MakeMeAdmin -- temporary admin for your Limited User account

Earl Savino — Sun, 29 Oct 2006 18:37:49 GMT

Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app.

fintek@comcast.net

Runnig a batch process

dgley — Tue, 21 Nov 2006 16:43:14 GMT

Can you send it a batch file to run in the final window. I have a bat file containing the net use to map a network drive. I would like this to run this in the final cmd window so that a drive is mapped in the admin session.

Is this possible?

Sure -- just add the batch file you want to the _Prog_ variable. The "/k" option means "run the following command when cmd.exe starts, and then continue running." (The similar /c option runs the command you specify and then exits the shell.) The && strings multiple commands together.

HTH

-- Aaron

locked out of my laptop only limited access please help!!!!

steve — Wed, 29 Nov 2006 03:36:42 GMT

hi i am having problems with my lap top witch i got from a computer fair the make of the laptop is "stone computers". when i turned it on and tryed to change my user name it wouldnt let me go into the user accounts area as it said i didnt have correct rights to do so. i also tried booting my windows xp disk but it says access denied. i also tried accessing my bios settings but they have also password protected that aswell. iv tried the hiren`s boot cd but i cannot boot from cd. anyone have any ideas on how to gain access to my laptop?

re: MakeMeAdmin -- temporary admin for your Limited User account

David Gley — Fri, 15 Dec 2006 18:32:41 GMT

We must logon now with a CAC card now. Since then, I have been unable to use the MakeMeAdmin. I can logon on the first part as Administrator and it successfully adds me to the administrator group. It then asks for my limited account password and this is where it fails. I get the following error in the DOS window:

*****************

Starting program in new logon session...

Enter the password for MYDOMAIN\myuserid:

Attempting to start cmd.exe /k Title *** MYDOMAIN\myuserid as Admin *** as user "MYDOMAIN\myuserid" ...

RUNAS ERROR: Unable to run - cmd.exe /k Title *** MYDOMAIN\myuserid as Admin ***

1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

Press any key to continue . . .

*****************

Is there anyway to fix this.

David, does it work if you use MakeMeAdminSC, which comes in the same .zip download? It uses "runas /smartcard" to do the "re-login" using smartcard credentials instead of a password. From the MakeMeAdmin followup post:

MakeMeAdminSC works just like MakeMeAdmin but uses smart card authentication for the current user instead of password authentication, via the runas.exe /smartcard option. Insert your smart card before running MakeMeAdminSC; it will prompt you for the admin password, then for your smart card PIN. (In order to work, the smart card needs to be associated with the account you’re currently logged in under.)

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

David Gley — Mon, 18 Dec 2006 17:50:16 GMT

It adds me to the Admin group but it also fails in the second logon. Here is the results:

**********

Adding user MYDOMAIN\myuserid to group Administrators...

The command completed successfully.

Starting program in new logon session...

Reading smart cards.....

The following errors occurred reading the smart cards on the system:

No card on reader 2

Using the card in reader 1. Enter the PIN:

RUNAS ERROR: Unable to acquire user password

Press any key to continue . . .

**********

David, I suspect that since CAC cards are not standard, off-the-shelf smartcards, they may not be compatible with the expectations of Windows' built-in credential handling. Feel free to contact me via the email link above to dig into this further.

-- Aaron

keycruncher.com » makemeadmin - Windows XP Admin Escalation Tool - Dennis Little practicing free, intelligent thought

Sat, 06 Jan 2007 06:30:49 GMT

PingBack from http://keycruncher.com/blog/2005/08/23/makemeadmin-windows-xp-admin-escalation-tool/

re: MakeMeAdmin -- temporary admin for your Limited User account

steve b — Tue, 16 Jan 2007 14:45:11 GMT

can this tool be used to make a logoff script reboot or shutdown a windows xp machine?

it just seems to be impossible

thanks

Sorry, I just don't understand what you're asking here. gpedit.msc will let you specify logon/logoff scripts.

HTH

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

jake — Sat, 27 Jan 2007 01:27:47 GMT

hey, i have just one problem. i cant seem to download some of my games without an administrator priviledge?

Jake --

Can you describe the problem more precisely?

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Jason — Sat, 27 Jan 2007 17:16:29 GMT

What is the temp admin password? How do you change it? www.greenlush.com

Alternative to RunAs (so you can automate typing the admin password)

[deXter] — Mon, 29 Jan 2007 15:30:08 GMT

For users who'd like to automate typing in the admin password, a better alternative to RunAs would be using Mark Russinovich's PsExec.exe tool (part of the PsTools suite). PsExec allows you to specify the username and password in the commandline.

Alternative to RunAs (so you can automate typing the admin password)

Les Weston — Tue, 30 Jan 2007 15:10:17 GMT

> For users who'd like to automate typing in the admin password, [...] PsExec allows you to specify the username and password in the commandline.

Isn't that compromising the security of your PC? Anyone who gets sight of your command line can see the username and password of your Administrator account in plaintext.

-Les.

re: MakeMeAdmin -- temporary admin for your Limited User account

dexter_m — Fri, 02 Feb 2007 16:24:33 GMT

If its an issue, then you could make a program to launch psexec. That way you wouldn't be storing it in plaintext. To make it somewhat more secure, you could perhaps encrypt the password and obfuscate the exe.

re: MakeMeAdmin -- temporary admin for your Limited User account

Iggs — Sat, 03 Feb 2007 04:25:44 GMT

I'm not a scripting guy, I'm a sysadmin. I would love to use this script for making administative changes on users'. By default Domain Admins are members of local Administrators group, but I never sure what is local administrator's password is. I tried making changes to the script to prompt me for username and password of an account with admin rights, which is a domain admin account and it works, however for some reason it does it twice. I used SET /P for that, just for the reference, I would like to know how to populate _Admin_ variable with something I want.

Thank you in advance.

Iggs: the only change you should need is to change the set _Admin_ line to
set _Admin_=MYDOMAIN\MyAdminAccount
where MYDOMAIN and MyAdminAccount are replaced with your domain and your domain admin account. Is that not working? When you say, "it does it twice", what do you mean -- it does what twice? Note that with MakeMeAdmin, you get prompted for two passwords: first the admin account password, then the password of the user you're temporarily elevating.

HTH

-- Aaron

Setting color for all CMD shells based on admin/elevation status

Aaron Margosis' WebLog — Fri, 23 Feb 2007 08:55:50 GMT

How to automatically set the color and title of *all* CMD shells based on admin/elevation status with a one-time, one-line configuration change to your system.

Mark’s (we)Blog » Using unprivileged accounts in Windows

Mark’s (we)Blog » Using unprivileged accounts in Windows — Fri, 23 Feb 2007 16:09:14 GMT

PingBack from http://www.youknowone.co.uk/blog/2006/05/using-unprivileged-accounts-in-windows.htm

Mark’s (we)Blog » Using unprivileged accounts in Windows

Mark’s (we)Blog » Using unprivileged accounts in Windows — Sun, 25 Feb 2007 00:19:11 GMT

PingBack from http://markwilson.me.uk/blog/2006/05/using-unprivileged-accounts-in-windows.htm

re: MakeMeAdmin -- temporary admin for your Limited User account

Vincent — Wed, 28 Feb 2007 19:20:25 GMT

I've been using MakeMeAdmin for quite a while, but on a recent install of XP on a laptop, when running Windows Explorer with elevated privileges, the view does not refresh after, for example, deleting or moving files. This happens with other dynamic views, such as Network Connections (if I turn off my wireless network card, it still shows it in the view unless I hit F5). This only happens when I use MakeMeAdmin to elevate privileges, under normal privileges (the user account is only in the Users group) the views refresh, and similarly if I log into the Administrator account, the views behave accordingly.

I promise I've tried hitting Google up as many different ways as I could think of, but I'm at a loss, and out of five computers I run MakeMeAdmin on, this only happens on one. Any help would be most appreciated, thanks.

re: MakeMeAdmin -- temporary admin for your Limited User account

Iggs — Thu, 01 Mar 2007 18:22:19 GMT

I'm having the same problem. The window with elevated privileges does not refresh, I have to hit F5. Not sure why.

BTW, this also happens when I use WinSUDO (another great tool).

Iggs/Vincent/and others:

Hmm, I thought I had posted about this at some point, but I guess I haven't. The problem is that the way Explorer does refreshes is that there is one central location, in one Explorer process, that performs the actual change monitoring. (*) When a change event occurs, that process notifies the Explorer windows that registered interest. The problem is that the transferring of the information requires cross-process access, which gets blocked when the desktop Explorer tries to open the admin Explorer process.

(*) Obvious question is "why was it done this way?" The answer is (like many other answers) that Windows Explorer was architected for an OS that needed to be able to run on systems with 4MB of RAM. Since Explorer was never designed to support multiple security contexts (and still isn't even on Windows Vista), there has not been a need to change this implementation.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

iggs — Thu, 01 Mar 2007 18:26:01 GMT

Aaron, I would like to continue this thread.

You wrote.

======================================

Iggs: the only change you should need is to change the set _Admin_ line to

set _Admin_=MYDOMAIN\MyAdminAccount

where MYDOMAIN and MyAdminAccount are replaced with your domain and your domain admin account. Is that not working? When you say, "it does it twice", what do you mean -- it does what twice? Note that with MakeMeAdmin, you get prompted for two passwords: first the admin account password, then the password of the user you're temporarily elevating.

HTH

-- Aaron

=========================================

Sorry for my explanation, when I said it does it twice I meant it asks for the DOMAIN ADMIN account and the password twice and then it asks for the current user password. This is something I'm missing in the script. Not a big deal tho...

Thanks...

Did you make any changes to the script other than the value of the _Admin_ variable? Did you leave the SET /P in by accident?

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

christian — Fri, 02 Mar 2007 15:13:45 GMT

i got your makeadmin from last year.. it does work once.. but when i try to use it now w windows xp.. it wont work anymore. When i double click the MakeMeAdmin.exe it prompt w this..mydomain/administratore enter new password:_!! but when i press any key n the key board it doesnt show in dos prompt.. so i press enter then ERROR:msg error in line... wrong password!! some one help!! so i can install freelly! thanks..

Christian --

When RUNAS prompts you for a password, it does not echo any characters back to the console. Make sure you type the entire password before you press Enter.

Hope this helps.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Chris Smith — Wed, 07 Mar 2007 19:58:26 GMT

Hello.

I'm very very bad at using PCs. I need to get admin so I can use it to download some things but I'm not quite sure how to use MakeMeAdmin.

Do I need to know the admin password (Which i dont know)?

Maybe you can give a newbie step by step for a not very PC tunned person.

Thanks in advance.

Yes, you need to have the password for an admin account to use MakeMeAdmin.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Chris Smith — Wed, 07 Mar 2007 21:59:09 GMT

Is there a way of doing it without? If I knew the password I wouldn't be looking at MakeMeAdmin to make me admin :/

If there were, that would constitute a huge hole in the Windows security model -- the whole model would be pointless, wouldn't it? MakeMeAdmin doesn't support *unauthorized* elevation of privilege.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Chris Smith — Wed, 07 Mar 2007 23:44:00 GMT

Thats rubbish then. Is there anyway of getting temporary admin rites to download/install something? I really need to get something installed and can't.

Thanks for the replies dude.

Rubbish? How? Whose computer are you using, anyway? If you need something installed, get a legitimate admin of the system to help you out.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Chris Smith — Thu, 08 Mar 2007 00:41:50 GMT

Its my family PC. Lets just say my dad is the kind of person who thinks that doing the simplist of things will slow down the PC and make it rubbish. My dad is the admin so I dont think there is much of getting what I want done.

Add me on msn if you can: greenink.chris@hotmail.com

Its not rubbish by the way. Just not as good as I hoped :)

re: MakeMeAdmin -- temporary admin for your Limited User account

deXter — Sun, 18 Mar 2007 07:32:05 GMT

If you don't have enough knowledge/skill to hack/crack/bypass the admin account of a PC you have physical access to, then your Dad was right in restricting you. Why dont you spend your time learning computers? Maybe your dad will trust you more then.

Odd logic there, deXter...

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

MENDRES — Mon, 19 Mar 2007 16:01:59 GMT

i prompt with this problem while running "MakeMeAdmin"..(my OS:XP prof with SP2)

Enter the password for MyCompName\Administrator:_

Attempting to start D:\MakeMeAdmin\MAKEME.CMD MyCompName\myuseraccount

1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

Press any key to continue...

MENDRES: If the local admin account has a blank password, you can't use RunAs with that account - blank-pwd accounts can be used only for interactive logon, not for network logon or runas. So in order to use MakeMeAdmin, neither the Admin nor the User account can be blank-password accounts.

HTH

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Matt — Wed, 11 Apr 2007 13:23:40 GMT

I've been running into some problems with this program. Well, I did download it, and know a little about cmd myself, but every time I run the program, it asks me for a password, which of course I don't know... Is there something I overlooked to surpass this problem? Please help.

re: MakeMeAdmin -- temporary admin for your Limited User account

Matt — Wed, 11 Apr 2007 13:33:01 GMT

Sorry for the double post, but here is what it leaves me with

Attempting to start C:\Docume~ ...

RunAs Error: - Unable to run C:\Docume~...

1326: logon failure: unknown user name or bad password

Help?

Matt: Sorry, but there's insufficient information here. Can you provide more detail?

-- Aaron

Garrett Fitzgerald’s Blog » Archive » Eating at McDonald's can be a good thing

Mon, 16 Apr 2007 17:37:03 GMT

PingBack from http://blog.donnael.com/?p=690

re: MakeMeAdmin -- temporary admin for your Limited User account

Baqir — Tue, 17 Apr 2007 19:17:38 GMT

If i don't have the admin pass? It seems to does not work right?

Any comment?

re: MakeMeAdmin -- temporary admin for your Limited User account

Baqir — Tue, 17 Apr 2007 19:18:36 GMT

If i don't have the admin pass and using a limited account? It seems to does not work right?

Any comment?

re: MakeMeAdmin -- temporary admin for your Limited User account

deXter — Tue, 17 Apr 2007 21:30:13 GMT

Aaron:

Why don't you put a big red heading on the top of this page saying "This is NOT a hacking program- you NEED to know your Admin password for this program to work!"

Would save you the trouble of having to reply to every newbie :)

deXter: Great idea. Or I could just ignore them... :-)

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Baqir — Wed, 18 Apr 2007 14:35:26 GMT

lol...tehre was no need to say all these things, you could say two things.first, this is not hacking program, second (more logic, i don't know how...

any way tnx for ur comments

MakeMeAdmin on Vista

Patrick Rynhart — Tue, 08 May 2007 04:55:02 GMT

Hi Aaron,

The scenario is that I'm logged in as a Standard User (i.e. non-administrator) on Windows Vista, and I want to access the "me as admin" context.

If I use MakeMeAdmin then I get an administrative token, but it is filtered (i.e. any application that I launch from that command prompt will trigger a UAC prompt).

If (in the filtered command prompt) I type

explorer /separate

and then right click on a Command Prompt and select "Run as administrator", then I get an unfiltered command prompt.

My question is how can I get a command prompt with unfiltered admin rights without having to perform two steps (as above).

Thanks,

Patrick

Patrick: I started playing around a while ago with a version of MakeMeAdmin for Vista, but never finished it. Frankly, it's not as important on Vista anyway, since Vista gives you that functionality out of the box (if you're a member of the Administrators group), with significant improvements over how we needed to do it in XP.

-- Aaron

Mr

Ken Green — Tue, 08 May 2007 16:46:24 GMT

HP have suggested I contact you. I am inexperienced in computers. When I start up a message box appears showing two keys in the left corner and asking which account I want to use to run this program. I have no idea what program it refers to and have tried OK, cancel, run and X, but it still appears. Please how do I get rid of it? I am using XP and HP computer.

The message also says "Current user (owner) protect my computer & data from unauthorized program activity. This option can prevent computer viruses etc. but selecting it might cause the program to function improperly.

All I want to do is to cancel out this box.

Many thanks

re: MakeMeAdmin -- temporary admin for your Limited User account

Scott — Wed, 30 May 2007 21:30:22 GMT

Aaron,

I apologize in advance if I'm asking this question in the wrong thread. I work for the U.S. government and we use two-factor authentication (Gemplus smartcards) in an Active Directory domain.

My question (2 parts) is this; is it possible to use a runas command which authenticates through the smartcard? The main reason for this is to load user specific applications (so we have to be in their user environment).

If not runas, would "net use" be capable?

Thanks for any advice you can give me.

Scott:

First: try RunAs.exe /smartcard

Next: Take a look at the MakeMeAdminSC version of MakeMeAdmin, referenced in the follow-up post to this one: http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx

HTH

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Scott — Thu, 31 May 2007 00:51:51 GMT

Aaron,

Thank you for your help, and I apologize for not spending more time researching before taking up your time.

Respectfully,

Scott

How to restore your account to the Administrators group ...

najevi — Tue, 12 Jun 2007 06:09:19 GMT

MakeMeAdmin & PrivBar are great tools. Thank you Aaron.

post.[/url] Les describes the same situation as mine but the posted replies address patches to the code within MakeMeAdmin.cmd and not any immediate remedy to the situation such a user finds themselves in.

...Using a system restore point is overkill so here is a more 'surgical' approach:-[/i]

I accidentally ran MakeMeAdmin from an account that already belonged to the Administrators group. (I do recall a message indicating something to the effect that user was already a member of some group and I glossed past it.) On later inspection of the MakeMeAdmin.cmd file I found it did not have the [url=http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx#495385]extra few lines of code[/url] designed to exit the command script when this error is detected.

Some time after closing the marron coloured command prompt window opened by MakeMeAdmin I pressed "Win+L" to switch users only to find two unusual things:

[list=a]

[*] 'Administrator' account appeared in my Welcome Logon screen (previously it had been absent)

[*] 'Surgeon' account did not appear but was accessible using Ctl-Alt-Del. [i]('Surgeon' is that user account with Admin privileges that was created during WinXP installation because XP setup requires you to specify at least one user name.)[/i] Surprise of surprises: 'Surgeon' had been removed from the Administrators group and since it did not belong to any other group it was not visible from within the 'User Accounts' applet accessed via Control Panel.

[/list]

So there's the problem and these are the fixes that worked for me:

[u]]Fix for (a).[/u]

[list=1]

[*] Start -> Run... -> regedit -> [Enter]

[*] navigate to registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

[*] add a DWORD value named Administrator

[*] Assign it a value of 0 (i.e leave as the default)

[*] logout

[/list]

[u]Fix for (b).[/u]

[list=1]

[*] Start -> Run... -> compmgmt.msc -> [Enter]

[*] System Tools/Local Usres and Groups/Groups

[*] Right click Administrators -> Add to group ... -> Add...

[*] in the "Enter the object names to select" box type the account name eg. Surgeon

[/list]

enjoy!

p.s. I very much appreciated your [url=http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx#1779626

]explanation[/url] of why one needs to frequently hit F5 (Refresh) while exploring folders in a different security context than the desktop.

Wie beschneide ich einen Administrator? - MCSEboard.de MCSE Forum

Wie beschneide ich einen Administrator? - MCSEboard.de MCSE Forum — Tue, 12 Jun 2007 16:58:56 GMT

PingBack from http://www.mcseboard.de/windows-forum-ms-backoffice-31/beschneide-administrator-115192.html#post711657

re: MakeMeAdmin -- temporary admin for your Limited User account

Vivian — Wed, 20 Jun 2007 21:25:17 GMT

Hi,

Please help me out: I just want to have the passwords as arguments in makemeadmin.cmd.

Thanks.

Vivian

Vivian: MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files.

-- Aaron

re: MakeMeAdmin -- temporary admin for your Limited User account

Chomno Chan — Thu, 21 Jun 2007 19:27:13 GMT

its doesn't work for me it didn't give the second command shell

And so this is Vista…

Aaron Margosis' "Non-Admin" WebLog — Thu, 28 Jun 2007 22:23:33 GMT

What becomes of all my earlier non-admin tips, tricks and recommendations vis-à-vis RunAs, MakeMeAdmin, PrivBar and their interactions with IE and Explorer? The short answer is that Vista changes just about everything with respect to running with least

Job: Security » Blog Archive » Introducing Alcatraz: Convenient Least-Privilege for Windows XP and Vista

Fri, 29 Jun 2007 12:34:57 GMT

PingBack from http://www.rachner.us/blog/?p=6

Handeling your computer security and dealing with Spyware and viruses

Mischa Kroon — Tue, 10 Jul 2007 20:26:31 GMT

Viruses and Spyware are annoying to deal with that’s why the following is a bit of a guide to make sure

re: MakeMeAdmin -- temporary admin for your Limited User account

Carlos Vasquez — Thu, 16 Aug 2007 18:31:11 GMT

Aaron,

Is there a way to actually input the admin password, I will be using this on over 2000 laptops and each person assigned to one of these laptops I don't want to give them the admin password. So I want to see if the makemeadmin batch can be modified.

Carlos

[Aaron Margosis] MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files.

That's a lot of systems to manage -- are they joined to a domain? What kinds of tasks are you doing that require MakeMeAdmin? There is likely a more scalable approach.

tartley.com » Unexpected Error

tartley.com » Unexpected Error — Sat, 18 Aug 2007 18:39:41 GMT

PingBack from http://tartley.com/?p=202

re: MakeMeAdmin -- temporary admin for your Limited User account

Rik — Tue, 21 Aug 2007 23:46:38 GMT

Thanks for this handy script, Aaron. I had to make a small edit to get it to work for me: my Administrator doesn't have access to my limited user folders so it doesn't work to have the script call itself. Instead, I told the script to put a copy of itself in the Shared Documents folder and run from there. Here's the edit:

- runas /u:%_Admin_% "%~s0 %_User_%"

+ if not exist "%AllUsersProfile%\Documents\%~nx0" copy "%~0" "%AllUsersProfile%\Documents"

+ runas /u:%_Admin_% "\"%AllUsersProfile%\Documents\%~nx0\" %_User_%"

Cheers,

Rik

[Aaron Margosis] MakeMeAdmin.cmd needs to be installed in a folder in which all users have at least Read permissions.

Restricted user account « The Official MartinZ Blog

Restricted user account « The Official MartinZ Blog — Tue, 18 Sep 2007 17:26:32 GMT

PingBack from http://martinz.wordpress.com/2007/09/12/restricted-user-account/

re: MakeMeAdmin -- temporary admin for your Limited User account

djONE — Tue, 25 Sep 2007 19:13:54 GMT

I am having the wirst luck! I need to have a script that reboots both Windows 2000 and Windows XP machines. I put the shutdown.exe file in a remote directory everyone has access to and point a bat file I made to run it from there, however, it days they do not have the correct privileges to run it. I even tried replacing the shutdown.exe method with a vbs script and it gives me the same privileges error! I'm stuck! Don't know what to do!

djONE.

[Aaron Margosis] See this post.

re: MakeMeAdmin -- temporary admin for your Limited User account

djONE — Tue, 25 Sep 2007 21:46:22 GMT

Aaron,

Thanks so much for the reply, but isn't that just a workaround for the current PC I am working on?

I have a network with both 2000 and XP Pro SP2 computers and we plan to send them all a bat file e-mail that contains a command to re-map their printers to a different server (Since we recently went virtual), and then the second command, would be to execute the shutdown.exe -f -r -t 0 command.

The shutdown.exe is on a remote server that every computer has access too since I know only XP computers have it, I put it out there remotely so not to run into issues with the 2000 boxes.

Anyway, the printers switch servers fine, then when the bat file goes to execute the shutdown command, I get the error "A required privelege is not held by the client" and continue to get it; even though I followed the instructions in that link to a tee; though I have a feeling that is only for the one computer that you run those steps on. Correct me if I am wrong though. Also if this is the case, is there a way to do an entire network policy change rather than just localc for that one computer? Or what can I do? I'm so lost and frustrated! I appreciate all your help!

Thanks again and have a great afternoon!

djONE.

re: MakeMeAdmin -- temporary admin for your Limited User account

djONE — Tue, 25 Sep 2007 22:16:22 GMT

Actually, I figured it out somewhat.

I just downloaded PsTools and put that on the remote server where shutdown.exe was.

Now I changed the command line to psshutdown.exe instead of shutdown.exe and it works fine without any errors except for them having to accept (Press the "agree" button) the EULA agreement each time for each computer (I was hoping after accepting the terms once, it would save that preference on the remote location, but it didn't), so oh well.

Good enough for now, unless you have any other ideas?

And like I said above, I appreciate all your help! You have been great through all of this!

Thanks again and take care!

djONE.

[Aaron Margosis] PsShutdown might do it. If you go with shutdown.exe and it is executed in the context of an interactively logged-on non-admin, then the fix needs to be applied on the systems where they are executing the command.

For the PsShutdown EULA, just run it one time on each system in the non-admin's context ahead of time...

How to make your computer safer? - x10Hosting Forums

How to make your computer safer? - x10Hosting Forums — Tue, 16 Oct 2007 17:01:14 GMT

PingBack from http://forums.x10hosting.com/tutorials/33416-how-make-your-computer-safer.html#post203262

Xtreme News » Blog Archive » Escalando Privilegios XP

Xtreme News » Blog Archive » Escalando Privilegios XP — Tue, 16 Oct 2007 19:26:06 GMT

PingBack from http://xtremenews.uni.cc/?p=37

re: MakeMeAdmin -- temporary admin for your Limited User account

Jaleel — Thu, 25 Oct 2007 08:29:11 GMT

If I dont have admin privilege in the machine , what can I do...?Example, in our company we dont have admin privilege for a normal user.

Also, If I have admin privilege, and want to use it very sparingly ( i mean only for the actions which demands admin power) and all other times be a normal user , what should I do? If a user in the domain is elevated to admin, then how can that user run or develop applications as a non-admin .This is very important requirement to ensure the running of our developing applications will run with a local user of any machine..

re: MakeMeAdmin -- temporary admin for your Limited User account

this is fake — Mon, 29 Oct 2007 22:25:09 GMT

this is stupid it doesn't work

[Aaron Margosis] ???

re: MakeMeAdmin -- temporary admin for your Limited User account

peter chasen — Mon, 03 Dec 2007 10:49:50 GMT

I have a new Vista laptop I've been struggling with.After reading the above and wasting half a day, I'm returning it! Then I will buy a Mac

that is largely free of such aggrivations yet

still runs Win, and that shall be XP, thank god!

I think Vista's a loser and so is Microsoft as

Google goes into overdrive.

[Aaron Margosis] This seems like a pretty wildly misplaced complaint. This is a post about MakeMeAdmin, which was designed specifically for XP/2003. There is little reason to run it on Vista, since it makes same-desktop-elevation of your current account incredibly easy. So I don't understand why you're upset.

re: MakeMeAdmin -- temporary admin for your Limited User account

hugo oyunlari — Wed, 12 Dec 2007 02:03:56 GMT

That said, RunAs has a /savecred option (discussed in a different context in this post). It doesn't expose the password directly, but it is possible for the password to be exposed. Using /savecred also allows the user to run other things with the same account without having to enter a password. And finally, once you allow something to run as admin, it is impossible to ensure that the admin rights will be used only for the tasks you think you're authorizing.

re: MakeMeAdmin -- temporary admin for your Limited User account

Dan — Fri, 14 Dec 2007 19:46:02 GMT

I am trying to run this on a Windows XP Home machine. I changed the registry for "nondefaultadminowner" to 0 as described and have set an "administrator" password on the computer. However, when I run MakeMeAdmin from my limited user account, I am unable to type in the command screen. It does register when I hit return and I get the following error:

Enter the password for DAN\Administrator:

Attempting to start C:\DOCUME~1\DANREC~1\Desktop\MAKEME~1\MAKEME~1.CMD DAN\Dan R

eckner as user "DAN\Administrator" ...

RUNAS ERROR: Unable to run - C:\DOCUME~1\DANREC~1\Desktop\MAKEME~1\MAKEME~1.CMD

DAN\Dan Reckner

1327: Logon failure: user account restriction. Possible reasons are blank passw

ords not allowed, logon hour restrictions, or a policy restriction has been enfo

rced.

Press any key to continue . . .

Please help me to figure out why I can't type during the prompt.

Thanks

[Aaron Margosis] Make sure that both accounts have passwords, and that the script is in a location that is readable by both accounts (e.g., not on the admin's desktop).

re: MakeMeAdmin -- temporary admin for your Limited User account

Dan — Tue, 18 Dec 2007 00:31:16 GMT

Aaron,

I did not have a password on the limited account and have since set one up. The script is in a folder on the desktop of the limited account. However, I am still getting the same error. Is there any thing else I can try?? Any help would be greatly appreciated.

Thanks,

Dan

[Aaron Margosis] Try putting it in a shared location rather than in a folder belonging to one user. E.g., copy it to the All Users \ Documents folder (Shared Documents).

re: MakeMeAdmin -- temporary admin for your Limited User account

hendri — Sat, 05 Jan 2008 15:32:36 GMT

same as latest question, after i put makemeadmin in shared document(My computer => shared document), after that what must i do???still not know how to work.sorry if my english language worst.thanks before

re: MakeMeAdmin -- temporary admin for your Limited User account

Ed — Thu, 28 Feb 2008 17:50:13 GMT

Hello Aaron. Will MakeMeAdmin function for me? I have CAC-user logon credentials and username/password elevated credentials for my admin work. We are in an Active Directory 2003 domain. I need to open elevated privelege consoles on remote clients and access (restricted) local and network shares using the elevated privilege account. The 'runas' with IE6 used to be great but our domain has recently deployed IE7 to all clients. As we all know, IE7 developers killed the simple runas functionality and now I'm stuck. Fast User Switching is also disabled by GPO.

I need to load software, add a printer, view security logs, etc, etc, on remote clients with users remaining logged in, a.k.a., get in, do it, and get out quickly.

Is MakeMeAdmin doable?

[Aaron Margosis] There's something about CAC cards that is somehow different from "ordinary" smart cards... apparently RunAs doesn't work with CAC cards. I looked into it a little while ago but didn't have a really good opportunity to dig into actual cause.

PC Sympathy » More Ways To Surf Safely

PC Sympathy » More Ways To Surf Safely — Sun, 09 Mar 2008 04:09:27 GMT

PingBack from http://www.pcsympathy.com/blog/2008/03/08/more-ways-to-surf-safely/

Asking how to crack the admin password from a limited account

Exana — Sat, 15 Mar 2008 15:02:11 GMT

Aarona

can you please tell me how to got the admin password of my computer to which i have a physical access and using the limited account.

thanx.

[Aaron Margosis] No, I can't.

re: MakeMeAdmin -- temporary admin for your Limited User account

Mike — Mon, 17 Mar 2008 18:33:37 GMT

Is there a set way I can change owner/permissions that makes sense?

I've been using PrivBar.dll and LaunchAdmin.exe with great success. I launch admin programs (Spybot S&D and Adaware) with a modified MakeMeAdmin.cmd. Also added the "Owner" column to windows explorer. This works well for a newly installed system.

When I implement this on an existing system, I demote Userx from "Computer Administrator" to "Limited". Is there a set way I can change owner/permissions that makes sense?

For example:

secpol.msc->Local Policies:Security Options:System objects:Default Owner->Administrators group.

REBOOT

==============

Replace Owner

==============

"C:\" Administrators --Replace owner on subcontainers and objects

==========================================

Permissions (including all child objects)

==========================================

"C:\" : Administrators(Full Control)

"C:\Windows\" : Users(Read & Execute, List Folder Content, Read)

"C:\Program Files\" : Users(Read & Execute, List Folder Content, Read)

"C:\Documents and Settings\Userx\My Documents": Userx(Full Control)

re: MakeMeAdmin -- temporary admin for your Limited User account

Faisal — Fri, 11 Apr 2008 17:47:07 GMT

Very interesting script.

Users in my workplace do not have admin rights on their machines. So to install something we have to login with our credentials.

I was writing a script that maps the network drive with my credentials and then open iexplorer window again with my credentials. The problem is that in that I.E window I can see C: drive but can't see the mapped Network drive. Is there a way this script can help me ?

My script is:

@echo off

Echo Please enter your username.

set /p User=

NET USE I: %logonserver%\software /USER:mydomain\%User% *

runas /user:mydomain\%User% "c:\Program Files\Internet Explorer\iexplore.exe"

hardbop200.com : Batch script to run Control Panel applets as admin

hardbop200.com : Batch script to run Control Panel applets as admin — Tue, 13 May 2008 22:32:05 GMT

PingBack from http://www.hardbop200.com/2008/04/23/batch-script-to-run-control-panel-applets-as-admin/

re: MakeMeAdmin -- temporary admin for your Limited User account

Sam — Tue, 17 Jun 2008 18:24:59 GMT

Hi, At school I have 2 accounts, one Admin/PU for working on the server and past and current student databases etc and one which I use for normal classes.

I am really struggling to understand what I am supposed to do to set this all up.

Could you please possibly give me a step by step instruction set up for all of this

It is appreciated heaps

Sam

re: MakeMeAdmin -- temporary admin for your Limited User account

Ak Shah — Fri, 27 Jun 2008 15:31:17 GMT

Hello,

Can someone help?

I had a Administrator Account & Limited Account on my Laptop but i accidentally deleted the Administrator Account. Now the only Account that i have is the Limited Account. There is no Administrator account under user Accounts. How can i get around this? I am not able to access any files.

Tanks,

re: MakeMeAdmin -- temporary admin for your Limited User account

Les Weston — Sun, 29 Jun 2008 14:20:48 GMT

I think there is another "Administrator" account on XP machines, not protected with a password by default, but removed from the login menu as soon as you create your own Admin account. Take a look at http://www.ncsu.edu/resnet/windows/passwords/xp_passwords_admin.php or do a web search for "hidden administrator account" (without the quotes), you might find the answer you are looking for.

Good luck!

-Les.

re: MakeMeAdmin -- temporary admin for your Limited User account

nil karaibrahimgil — Sat, 12 Jul 2008 09:43:23 GMT

Hey!

I am using this script! I saw in one comment!

You must try!

****

@echo off

Echo Please enter your username.

set /p User=

NET USE I: %logonserver%\software /USER:mydomain\%User% *

runas /user:mydomain\%User% "c:\Program Files\Internet Explorer\iexplore.exe"

********

Thanks for every information.

These are very useful!

Thank you so much...

King Regards!

Ламинат цены

ламинат — Sun, 24 Aug 2008 14:55:14 GMT

1uI'll thingk about it.0w I compleatly agree with last post. hvr

<a href="http://skuper.ru">паркет</a> 2k

re: MakeMeAdmin -- temporary admin for your Limited User account

JJT — Thu, 06 Nov 2008 12:53:48 GMT

I'm on a pc with both an Administrator and Limited User account.

However the Limited User a/c has a blank password therefore as I understand it, this solution does not work.

What alternative solution is there for me that functions like MakeMeAdmin but accepts a Limited User a/c with no password?

I do have the Admin password.

I just don't want the hassle of logging in and out and in and out...

[Aaron Margosis] It will probably work if you remove the restriction on blank-password local accounts. Caveat is that you do increase your security risk by doing this. Local Security Policy (secpol.msc): Security Settings \ Local Policies \ Security Options; "Accounts: Limit local account use of blank passwords to console logon only". Change from Enabled to Disabled. Probably requires reboot. Caveat again is that you do increase your security risk by doing this.

re: MakeMeAdmin -- temporary admin for your Limited User account

sam — Sun, 23 Nov 2008 22:30:35 GMT

hi my 12 year old changed my admin password and now the only way we can use the computer is thro her restricted account ....is there a way to make her account admin with out the admin password....so i can get my account back.. thanx 4 all the help

re: MakeMeAdmin -- temporary admin for your Limited User account

Soubhik — Thu, 18 Dec 2008 18:57:30 GMT

How to del the temperary profile and log in to the normal administrator account.???

[Aaron Margosis] Sorry - no idea what you're asking here...

re: MakeMeAdmin -- temporary admin for your Limited User account

awp_map — Wed, 14 Jan 2009 12:21:04 GMT

need help :

i was so confused for long time..

how to remove password while i plugged in a flashdisc on limited user? anybody know this ..

help me please..

re: MakeMeAdmin -- temporary admin for your Limited User account

Shawn Pete — Wed, 04 Feb 2009 05:00:37 GMT

I use the code below (all on one line in case the line breaks) in a shortcut. I get the privleges that I need for access to the folder I want, but both PrivBar and TweakUI show my non-admin information.

C:\WINDOWS\system32\runas.exe /netonly /user:armtec\proe "%SystemRoot%\explorer.exe \\armtec-engineer\DGMF"

[Aaron Margosis] /netonly "indicates that the user information specified is for remote access only". In other words, you're still the same non-admin locally (which is what privbar is reporting), you're just using the alternate credentials when you access remote computers like "armtec-engineer".

re: MakeMeAdmin -- temporary admin for your Limited User account

andrea — Fri, 22 May 2009 15:18:28 GMT

I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk).

Is it possible trough MakeMeAdmin? How?

Thank you.

Can I give to a screensaver administrative privs?

andrea — Fri, 22 May 2009 15:19:40 GMT

I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk).

Is it possible trough MakeMeAdmin? How?

Thank you.

Can I give to a screensaver administrative privs?

andrea — Fri, 22 May 2009 15:20:22 GMT

I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk).

Obviously I can't write the password every time the screensaver start

Is it possible trough MakeMeAdmin? How?

Thank you.

Sorry, triple posting

andrea — Fri, 22 May 2009 15:21:53 GMT

Sorry, I posted my question three times by mistake, plese remove the first two, thank you

Wrong user password leaves user in admin group

Waldo120 — Tue, 02 Jun 2009 23:09:11 GMT

When I enter the admin password correctly, then the user password incorrectly, it leaves the user setup as an admin. Is there a fix for this?

I'd hate to accidentily leave a user as an admin because they mistyped their password.

Wrong user password leaves user in admin group

Waldo120 — Wed, 03 Jun 2009 00:08:00 GMT

Correction, this only happens if after mistyping the password instead of "pressing any key to continue" you instead close the dos window. Can we modify this to remove before "press any key" when the password is wrong?

[Aaron Margosis] Go ahead -- it's a .cmd file, so you can edit it with Notepad. Might be easier just to add an ECHO statement saying "Press any key, DO NOT JUST CLOSE THE WINDOW."

Wrong user password leaves user in admin group

Waldo120 — Wed, 03 Jun 2009 21:19:20 GMT

I was about to but I think I misunderstand something in the logic about it. Took a second look and realized my misunderstanding. Below is what you can replace the line after runas with. It causes you to have to "press any key to continue" twice when the password is bad, but at least now I can leave the window behind for them to logon and know the user wont be left an admin.

if ERRORLEVEL 1 echo. && echo Removing user %* from group %_Group_%... && net localgroup %_Group_% "%*" /DELETE && ECHO && pause

Thought, do goto commands work in cmd files?

[Aaron Margosis] http://technet.microsoft.com/en-us/library/cc755012.aspx

re: MakeMeAdmin -- temporary admin for your Limited User account

Dan — Thu, 19 Nov 2009 21:34:31 GMT

Aaron,

I am trying to run this on a limited user account on XP Home. I have used this on other computers and it has worked fine. Both the limited user account and the administrator account have passwords. Anyways, when I type in the admin password I get:

RUNAS ERROR: Unable to run C:\Docu~...

1327: Logon failure: ...

Any suggestions??

[Aaron Margosis] Put the file in a shared location rather than in one user's profile. If that's not the problem then put it in a location that doesn't have long file names or where any of the path components have spaces in them. (The script should handle that, but if 8.3 file names are disabled that could be a problem - or it might be a permissions issue where one account can't get to the file...)

re: MakeMeAdmin -- temporary admin for your Limited User account

Dan — Fri, 20 Nov 2009 14:29:29 GMT

Aaron,

Thanks for the quick update. I have moved the filed to C:\MakeMeAdmin - I believe this is a shared location. I have also tried C:\Program Files\MakeMeAdmin. I still get the same error. Can you tell me what to check about 8.3 file names (not sure what that means) and what I should check for permissions??

Thanks

[Aaron Margosis] Just re-read your first... The rest of the error text for that error message is: "Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced." Are you sure both the admin and non-admin accounts have non-blank passwords? Do you have logon hour restrictions applied, or is the admin account you're using disabled? If your admin account is not called "Administrator", you need to change the script to use a different account name that has admin rights.