Steel-Run-As Steel Run As solves a problem that every Windows administrator faces sooner or later. It allows you to let standard users run a specific program with administrator privileges. This works in login scripts, in Windows domains or on standalone workstations. Important is that the user doesn't have to know the administrator's password, like with the Windows runas command. Best of all is that Steel Run As is very easy to set up.

When I first heard that Microsoft was going to introduce UAC in Windows, I thought it would be something similar to sudo in Linux. Unfortunately, UAC is no match at all for sudo. The feature I miss most is the ability to allow certain end users to manage specific operating system features that require administrator rights.

A typical example are the TCP/IP settings. Laptop users sometimes have to change their IP address themselves because some hotels don' t use DHCP. The problem is that changing the network settings requires admin rights. Of course, you could just add the user to the administrators' group; but this is something that responsible administrators try to avoid at all costs.

Steel Run As is not really comparable to sudo, but it can help you with similar problems. The tool has a simple GUI in which you have to configure the credentials of the administrator account, the command to execute and the working directory. Don't forget the latter setting under Windows Vista. It seems one has to browse to the command; typing the path doesn’t work.

Steel Run As creates an executable that the user has to run. This program then launches the program that has to be executed with administrator rights. Note that the Steel Run As executable doesn't contain the program that you want to run with admin privileges. This means that you also have to make sure that both the program and the Steel Run AS exe are available on the user's computer. Steel Run As uses a cyclic redundancy check (CRC) to verify that the program hasn't been altered. You don't have to install Steel Run As itself on the user's computer, though.

UAC-Privilege-Level Also note that if UAC is enabled, you have to make sure that the program is elevated. Steel Run As doesn't do that for you. Please check out my article about UAC elevation for more information about this issue. On Windows XP machines, you don't to have to deal with this problem.

In one of my next posts I will show you how you can use Steel Run As to allow standard users to change the TCP/IP settings. You can take this as an example of how to use Steel Run As with batch scripts.

If you are an experienced admin you probably have found other workarounds for this Windows shortcoming. I am curious to know how you solved this problem.

Warning: Be careful with programs that allow user to open files. Users can open other programs with admin privileges this way. See comment below.

Update: Please, also check out my new article about RUNASSPC and CPAU, two comparable tools.

Steel Run As ^

Read 4sysops without ads by becoming a member!

Your question was not answered? Ask in the forum!

0
Share
14 Comments
  1. Michael 11 years ago

    About your example of user's needing to be admin user's to change network settings, there is another option. For our laptop users, we add them to the Power Users and Network Configuration Operators groups. This let's them change their network settings while traveling, plus lets them change settings those in the Users' group can't change, like power settings. It's not a perfect solution, but it does make things simple for the users.

    0

  2. This is certainly also an option. But it has the disadvantage that you have to give them more privileges than necessary.

    0

  3. Michael 11 years ago

    That is true, and to be honest, I've always wanted to find out more about what abilities the Power Users and Network Configuration Operators groups give over regular users. Are you aware of any sites that would help fill in that missing info?

    0

  4. Marc 11 years ago

    All you need for IP settings is Network Configuration Operators Group. See http://support.microsoft.com/kb/297938. This is how we deal with it. Very specific rights.

    0

  5. Run-as - basiaw7 11 years ago

    [...] “reklamowany” jest też w jednym z moich ulubionych portali a mianowicie https://4sysops.com/archives/free-steel-run-as-let-standard-users-execute-with-administrator-rights/ i tam też trochę można o nim [...]

    0

  6. zimo 11 years ago

    What about security, where does the administrator's password write?

    Thanks.

    0

  7. Michael, I don't know the exact rights of the power users group. Actually, I never worked with it. Since Windows NT 4 I always managed to give users only standard user rights. It is not only because of security, but it also simplifies the work of the help desk if they can be certain that all users have the same rights.

    Marc, using the Network Configuration Operations group is certainly the easiest way to solve this problem. However, some admins sleep better if they know that their users are not able to mess with all network settings. Moreover, a script-based solution (which I will introduce in my next post) allows you to reset the TCP/IP settings automatically when the user connects the laptop to the corporate network.

    zimo, that is a good question. I guess the Steel Run As exe contains the encrypted password. There might be ways how an attacker could use this exe to launch other programs with administrator rights. I tried it, but all my attempts failed. But I am not a hacker. It is more secure if you use an account that has just enough rights to accomplish the task. For example, you could use an account of the Network Configuration Operations group for Steel Run As to change the TCP/IP settings.

    0

  8. Jarred Fehr 11 years ago

    Question: Is there a way to use this for the Windows font folder in Vista? I'd like for my end users to be able to install fonts on their machines without notifying the help desk. I don't care how many fonts they install. However, I can't tell what .exe the Vista font installer calls. Any ideas?

    Also, re: Power Users. In a MS conference I went to last year, I think I remember them saying that the PowerUsers in Vista has no extra rights compared to Standard Users. It is only there for legacy purposes.

    0

  9. Jarred, I think there is no font installer application. It is just a folder: c:\windows\fonts\. You probably only have to change the permissions of this folder. The problem is that you can't do that Windows Explorer. I have read that it is possible with Xcalcs. I never tried this though.

    0

  10. Andrew from Vancouver 11 years ago

    I use a similar tool, CPAU from JoeWare.net, which is here:

    http://www.joeware.net/freetools/tools/cpau/index.htm

    The main difference in the tools are that CPAU has no GUI for building the result, and the result is a binary file that CPAU.exe reads.

    According to the CPAU help, Microsoft removed the ability to simultaneously impersonate with local credentials and network access.

    That means that in a login script to, say, update files in %programfiles%, I first copy the files with the normal user's credentials to the local drive, then call CPAU with the .job file which then calls the previously baked-in user, password, executable, and parameters for that executable.

    It's enough to drive an Admin to .msi files!

    0

  11. AlexPPC 10 years ago

    The abov mentioned program do not do the job on Vista SP2 x86.
    I have tested it with an application that installs and run a WiMax Connection.
    StellrunAs is succsesfully installed. But do not do the job for the WiMax app.

    0

  12. Malcolm McCaffery 10 years ago

    The problem is this will probably let user run elevated applications from the application you've launched. (i.e. hitting File -> Open then launching an app.

    It is very possible to configure Windows 7 to allow users to configure different settings (i.e. network settings only) without having to run a specific tool as Administrator.

    0

  13. Andrew, thanks for mentioning CPAU.

    AlexPPC, did you elevate Steel Run As?

    Malcom, you are right, this is a problem for programs that allow you to open files. I will add a warning to the article.

    0

  14. Sachin S 10 years ago

    Hello,

    Does anyone know how to make runasspc wait for process to complete?
    CPAU has such an option which is needed any many cases.

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account