RANU: smarter CPL and MSC

Published 21 June 04 01:43 PM

I wish that .CPLs and .MSCs were smarter about normal users.  I want to be a normal user, open a Control Panel applet, and have it prompt me for credentials if needed.  Same thing for the administrative tools.

Here's what I do instead.

I create a set of shortcuts in a folder called “Control Panel”:

runas.exe /user:Administrator "control access.cpl"

I even set the icon by pointing it back at the .CPL file.

I do something similar with a folder called “Administrative Tools”:

runas.exe /profile /user:Administrator "mmc %windir%\System32\compmgmt.msc"

Both folders go into the “Admin Tools“ folder, along with

CMD w/ network

runas.exe /env /user:Administrator "runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \"cmd\""

 

There’s a bug in Windows XP where certain controls running in this mode just won’t paint.  It seems to be fixed in Windows Server 2003.  Don’t know about Windows XP SP2.

 

CMD

runas.exe /env /user:Administrator "cmd"

 

Explorer w/ network. Enable “Launch folder windows in a separate process”, as both yourself & Administrator.

 

runas.exe /env /user:Administrator "runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \"explorer\""

 

Task manager

 

runas.exe /user:Administrator taskmgr.exe

 

Regedit

 

runas.exe /user:Administrator regedit.exe –m

 

The Admin Tools folder then becomes a toolbar on my taskbar.  With all this in place, I can get by as a normal user.

by jaybaz_MS
Filed under:

Comments

# AT said on June 21, 2004 2:25 PM:
;o)
Completely agree

Even more - no needs to ask Administrator account for user actions.
But if user need to change something affecting not only his account - he must be prompted for login.

Running select CPL's as
Administrator can change Administrator configuration instead of current user one.

P.S> I wish ITG groups do not give Administrator password for Windows team development workstations or restrict Administrator account usage by time-limits (ex. 1 hour per day).
This way Windows team will make it's possible to run most of Windows apps without admin rights ;o))

# Bjoern Graf said on June 21, 2004 4:33 PM:
This is what OSX does and it makes it sooo easy to run as normal user and still being able to do administrative tasks without (fast-)swicthing users. Even the installer is smart enough to ask for roots password if it requires to do system canges (updates and friends).
# jaybaz [MS] said on June 21, 2004 4:45 PM:
Bjoern: I'm still not jealous.
# Drew said on June 21, 2004 6:41 PM:
"RANU" had me scratching my head for a minute. "Run(ning?) As (a) Normal User"? LUA, "Limited User Account", is the acronym de jour for this.
On XP and Server 2003 (and maybe someone even backported the change to Win2k - I dunno), runas does "/profile" by default. If you're trying to avoid the profile load you can use "/noprofile".
The explorer and regedit tricks may not always work as expected. Explorer is single-instance per desktop by default, so you can end up spawning an explorer window in your LUA context instead of the admin's. I'm pretty sure that regedit is always single-instance per desktop, so if there's already one running you'll only bring that to the front and focus on it. I don't know whether taskman or the .cpls are single-instance.
FUS (Fast User Switching) is probably the most painless way to avoid all of this hassle if the machine isn't in a domain.
# jaybaz [MS] said on June 21, 2004 6:45 PM:
Drew: It looks like you've explored this pretty deeply. I'm glad to see that.

regedit is single instance, unless you pass the -m flag.

explorer is single instance unless you set the "Launch folder windows in a separate process" in the context that is doing the launching (administrator).

RANU first mentioned in http://blogs.msdn.com/jaybaz_ms/archive/2004/06/21/161609.aspx.
# Bjoern Graf said on June 21, 2004 8:41 PM:
Oh, I didn't meant to force anyone to switch or such a thing: I'm a happy XP user who happend to have the chance to play with OSX :)
# circuit_breaker said on July 16, 2004 11:51 PM:
anyone know of any good 3rd party file manager apps that would work well under an administrator secondary logon (that is what runas uses, right)? i want to find something portable to use so I don't have to GP-enable every pc in my domain for explorer.exe ..
New Comments to this post are disabled
Page view tracker