As part of securing access to Active Directory, and following the Least Privileges Principle, it has been a goal of mine to be able to run all Administrative Tasks on a Management workstation while only logging in to the workstation using a generic, minimum Privileges user account.
While most management consoles can be launched in a "RUNAS" mode, it has been an Achilles Heel that it has always been thought that you could not run Windows Explorer in a RUNAS. This prevents you from doing File System Permission management.
Well, my genius friend (who is an absolute wizard at Google Searches) has found an answer.
Follow the step below to do it.
- Start the Registry Editor as an Administrative User.
- Navigate to, take ownership of, and grant yourself Full Control permission to the key HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
(This is "Elevated-Unelevated Explorer Factory") - Rename the value RunAs to _RunAs.
- Close Regedit.
- runas /user:domain\username "c:\windows\explorer.exe /separate"
OR another description:
- Start -> Run -> regedit
- Navigate to the registry key: HKEY_CLASSES_ROOT\AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
- Right click on the registry key and click Permissions…
- Give Full Control permissions to the user logged in.
- Start -> Run -> dcomcnfg.exe -> Expand DCOM Config
- Right click and select properties of “Elevated-Unelevated Explorer Factory”, click the Identity tab and select “The launching user”
No comments:
Post a Comment