POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?
RunAsLimitedUser: Run applications with limited user rights
By Michael Pietroforte - g+ - Thu, April 27, 2006 - 0 comments Michael Pietroforte is a Microsoft Most Valuable Professional (MVP) with more than 28 years of experience in system administration.
RunAsLimitedUser is a nifty RunAs tool that is so easy to use even for lazy admins. You probably know that Windows comes with a built-in RunAs feature. So-called security experts usually recommend that as a sysop you should only start applications with Administrator privileges when it’s necessary. The most secure way is to work with a normal user account, and start admin tools which need more rights, with an Administrator account. Well, I don’t know any sys admin who really works this way. It is just too time consuming to logon every time you need more privileges. RunAsLimitedUser works the other way around.
You logon with an Administrator account and start applications which don’t need admin privileges from its icon’s context menu. This just costs you an extra mouse click. Most tools a sysop starts every day, simply need admin rights. However, the few apps you use which also work with user rights are those with the biggest security threat; most prominently your favorite web browser or your e-mail program.
RunAsLimitedUser creates an user account with a random password during installation. The password is stored in the registry and encrypted with DAPI. This account does not belong in any user group, especially not in the admin group.
You can also use this tool for testing user’s applications. For example if you configure a master PC you usually will install applications using an administrator account. But your users probably have limited rights. With RunAsLimitedUser you can check if a newly installed program will also work in a user’s environment.