In order to follow best practices and observe the principle of least privilege, the system administrators in my company agreed to log in to their workstations with standard user accounts. To facilitate administrative tasks, user accounts were created with the required memberships to allow access to the consoles and servers for such tasks. The problem we soon encountered in Windows 7 was that in order to launch the Remote Server Administration tool (RSAT) under a different user account, you need to Shift + right-click the shortcut, choose Run As Different User and then enter the user name and password for the administrator account.
Adding RUNAS to the RSAT Shortcuts
To eliminate the extra clicks and the need to enter your username and password every time you launch an admin tool from your standard user security context, you can edit the shortcut to the tool to include the RUNAS command. I accomplished this on my machine by making copies of the RSAT shortcuts on my desktop and editing the copies. That way I could go back to the originals if I needed to run as a different user, but also because the shortcuts to the RSAT in the start menu are for all users of the computer. I would suggest not letting other users that might log in to your computer be able to launch these tools with your username.
The shortcuts live in a hidden folder located at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\. I copied the shortcuts of the tools I use on a regular basis and pasted them to my desktop.
Editing the shortcuts
Right-click on any of those new shortcuts and choose Properties. In this example, I’ll edit the shortcut for Active Directory Users and Computers. We’re going to change the content of the Target field.
To run the ADUC tool as a particular domain user, change the Target field to read:
%windir%\system32\runas /savecred /user:yourdomain\domainuser "mmc dsa.msc"
NOTE: Replace yourdomain with the name of your domain and replace domainuser with the name of the user account you want to use. The /savecred switch is optional and saves the password you type in the next steps. You can also replace yourdomain with the name of a computer to run the tool under a local user account.
Click OK and then double-click the icon for the RSAT you just edited.
You’ll see a command window pop up that will ask you for the password associated with the account you entered in the /user switch. Type your password (the cursor will not move a la Linux Terminal), hit enter, and the tool will launch.
If you chose to use the /savecred switch, this will be the only time you need to enter your password for that user name. Saved passwords can be managed in the Credentials Manager (more on that later).
Most of the basic RSAT will be this easy to edit; some will require a little care like the Hyper-V console.
A more complex target: Hyper-V
Some of the RSAT tools have more complex targets; take the target for the Hyper-V console for example. The stock text in the target for the Hyper-V console on my workstation is:
This is due to the fact that the Hyper-V console components are installed in the Program Files folder, but it is still wrapped in the MMC application.
Editing the target for RUNAS requires wrapping quotes around the MSC, but since the stock Hyper-V console target already uses quotes you’ll need nesting quotes. Here are the contents of the target field with RUNAS:
%windir%\system32\runas.exe /savecred /user:yourdomain\domainuser "%windir%\system32\mmc \"%ProgramFiles%\Hyper-V\virtmgmt.msc""
Note: there is a backslash (\)before the opening nested quote; this is required for the nested quote to work. There is no space between the backslash and the opening quote.
Using the AD Users and Computers and the Hyper-V consoles as examples, you should be able to edit the shortcuts for other tools to run as the administrative accounts and allow you to safely stay logged into your workstation with your standard user account.
Credential Manager and the Windows Vault
Saving passwords is nothing new, but Windows 7 gives us a tool called the Credential Manager to be able to access, edit and, back up those saved credentials. Credential Manger can be found in the Control Panel under the User Accounts header, but it also comes up in the Start Search.
The credentials for passwords saved in RUNAS using the /savecred switch are stored under the Windows Credentials header. You can see in the screen capture the saved credentials for my example user account. If you mistyped your password after launching your RSAT or your password has changed, the following instructions will show you how to fix it.
Fixing saved credentials
Click the drop down arrow on the right end of the credential entry to expand it.
You can click Remove From Vault to delete the entry or you can click Edit to fix the incorrect password.
Type the correct password and click Save. The next time you launch your RUNAS-enabled RSAT that uses that credential, the new password will be used.
Hopefully using RUNAS in your RSAT shortcuts will save you some time and help make you more efficient as well as allow you to maintain the principle of least privilege in the daily use of your workstation.