Administration While Running as a Limited User
Around here we have a policy that administrative accounts cannot have web access. This prevents many of the common malware and virus issues. At first I spent a lot of time logging in and out of my machine, going from admin to regular user. Then I set up a spare computer that I could remote to to run administrative commands. Then I spent some time using the run-as command, typing my password every time I wanted to do something. Now I have a solution that lets me run as a limited user and still run administrative commands without any extra work.
Heres the end result:
That's a limited user account logged on with an admin level window running. Anything launched from that window will have admin level authorization.
You might say "No big deal. You just used "run-as" on an explorer window." Indeed I did, but go ahead, try it on your machine. Didn't work did it? This had me stumped for ages. I could get this to work, but none of my coworkers could.
Here's how to get it to work:
First, we need to set both the admin and limited user accounts on the computer to run the explorer windows in separate processes. This is the key that lets you have side-by-side explorer windows with separate credentials. While logged on as each user, open up explorer (Windows + E) > Tools > Options > View > Check the box next to "Launch folder windows in a separate process".
Now we can set up the shortcut to spawn the window. You can, of course, have this launch just plain a plain old explorer window to "C:". However, when I want to run something as admin, it's usually in my administrative tools list. So here's the shortcut I use:
First, right-click and make a new short cut. Set this for the target for the shortcut:
C:\WINDOWS\system32\cmd.exe /c runas /user:domain\admin "explorer C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools"
Set the name to whatever you want. I use "Admin Run". Now lets give it a pretty icon. Right-click the shortcut >properties > Change Icon >then paste this in the "Look for icons" line and hit enter:
Now whenever you click this newly made shortcut, you'll get a command prompt for your admin user password. Once you've authorized you'll get an administrator level window with all of your admin tools.
Just add shortcuts into your all users Administrative Tools list for those programs you'll also need to run as admin. I also added links for windows explorer: (%windir%\explorer.exe) and for the command prompt (%windir%\system32\cmd.exe) considering how much I use them.
Now you too can run as a limited user account, yet still get administrative tasks completed without wasting a ton of time logging in and out or using run-as and typing your password all the time.