Windows 2000 features a command-line function, RUNAS, which allows a user to execute another program with a different user's credentials. This can be used as a way to provide local users with certain administrative functions in a noninteractive way, without actually granting them the rights to do so.
- Create a specially-created account that can perform the needed administrative tasks, but has no local or network logon privileges (to prevent users from logging in as that user and tampering). The desktop user should know the password for this account, but should not be able to change it, log on with it, or use the account in any other way.
- Create a batch file or other executable that contains the needed commands, and place it in a special folder. If you want, you can create a folder that has the permissions described below and allow all children of that folder to inherit the same permissions automatically.
- Make sure the access permissions on the file in question consist of the following:
- The INTERACTIVE system account, to allow RUNAS to operate on it.
- The special user account listed above.
- Keep the ownership on the file with the master Administrator account. Also make sure that the local user has NO privileges with the file in question, to keep users from reading it or tampering with it. For the best results, you can hide all of the files in question in a folder that is off-limits to the desktop user.
- Create another batch file or shortcut to execute the first command or batch file, which should be executable but not editable by local users. The command in this batch file should follow this form:
RUNAS /USER:<username> <program>
where <username> is the name of the user account described above and <program> is the path to the batch file or executable described in step 2. The path to the executable must be completely enumerated for RUNAS to work correctly; i.e., C:\Folder\filename.bat, not just filename.bat.
When the second batch file is run, the user will be prompted for the password to the special account that RUNAS uses. The password cannot be passed as a command-line variable for security reasons.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.
This was first published in September 2002