Is there a way (when logged in as an administrator, or as a member of the administrators group) to masquerade as a non-privileged user? Especially in an AD environment.
e.g., in the Unix world I could do the following (as root):
# whoami
root
# su johnsmith
johnsmith> whoami
johnsmith
johnsmith> exit
# exit
I need to test/configure something on a user's account, and I don't want to have to know their password or have to reset it.
Edit:
runas
won't cut it. Ideally, my whole desktop would become the user's, etc. and not just in a cmd window.
I'm pretty certain there is no supported way to run as a different user without having that user's credentials. It's a non-repudiation measure. Someone can't say: "I didn't do it", because either they did it, or someone with their credentials did it. And for the second they'd have to give the other person the credentials.
Normally how I do what I need to do while logged in as another user is to use remote assistance to essentially RDP into the session, and have them grant me control. Then I do whatever while they're watching (presumably, anyway).
Anything else can usually be done with GPO/scripts.
I've noticed a lot of other people mentioning variations on the runas command and how you need to know the users password, which is true, but I don't think that anyone has quiet answered the question. of "wanting the whole desktop would become the user's, etc. and not just in a cmd window". Here's the way I go about it:
Note: I'm going to refer to this first Command Prompt as CP1 to eliminate confussion later.
Under your admin account, open Command Prompt
For local account
For domain account
OR the way that I prefer it
Note: A new command prompt will open (CP2), this is the user who are you trying to login as.
Open CP1 and type:
Open CP2 and type:
Depending on the computer, it may create a profile for the user if they have never logged onto there before. You can save yourself the hassel later by keeping the command prompt windows open for later use.
When you're done with your work, just do the same thing in reverse.
In CP2 type:
Open CP1 and type:
You should now be back into the orginal administrator account. You can do a quick check by tapping the Windows key and looking for the current user panel.
Hope this helped.
There's no built-in mechanism in Windows to do this. It can be done, but you're going to have to have something written to do what you want, and you're probably going to have to muck around with undocumented APIs.
One of the posters here, grawity, has it right w/ calling CreateProcessAsUser(), but you'll need to create a token with the undocumented native API zwCreateToken first. If you killed off Explorer and fired up a new Explorer instance w/ CreateProcessAsUser() I'm fairly certain you'd get want you want.
Microsoft doesn't make what you want to do easy because it's not the way they want you using NT. If you need to be logged-on as a user to troubleshoot their issues, in most cases you're going about it in a sub-optimal way.
You can make changes to the user's registry w/o logging-on as them (by attaching their registry hive and manipulating it that way). You can make changes to files in their user profile w/o being logged-on as the user. If you need to "setup email" or other such activities "as the user", you should be writing scripts or taking advantage of built-in functionality (Group Policy Administrative Templates, preferences, etc) to do your dirty work for you.
If you have to do this, have a look at RunAsEx on Code Project. That code should give you a fairly good idea of what you'll need to do. I haven't tried the program, but it looks like it's going about everything in the right way.
You can use the following command on Windows XP and later:
The command line options are available here.
This will not work without knowing the users password. I do not believe there is a way in Windows to operate under a users account without the password due to how the Security Identifiers are loaded.
(Just a guess.) If your account has
SeCreateTokenPrivilege
, you could write a small program to create a process usingCreateProcessAsUser()
or a similar function... (But not even administrators have the privilege by default.)Although I do not have personal experience with some of the sudo solutions mentioned on this site, I highly recommend nonadmin started by the excellent Aaron Margosis. It is a huge help as you roll out limited users. I mainly jumped with something since everyone else is saying use Runas. However, I think most or all of these so called sudo for windows deal more with elevation rather than acting as another user without their password.
Process Explorer procexp.exe on http://live.sysinternals.com has a run as limited user (on the file menu) which will let you run a program using your current credentials, but with your ACL stripped down to that of a normal user (non-admin) user. Not what you wanted exactly, but good for testing.