RANU: smarter CPL and MSC


I wish that .CPLs and .MSCs were smarter about normal users.  I want to be a normal user, open a Control Panel applet, and have it prompt me for credentials if needed.  Same thing for the administrative tools.


Here’s what I do instead.


I create a set of shortcuts in a folder called “Control Panel”:


runas.exe /user:Administrator “control access.cpl”


I even set the icon by pointing it back at the .CPL file.


I do something similar with a folder called “Administrative Tools”:


runas.exe /profile /user:Administrator “mmc %windir%\System32\compmgmt.msc”


Both folders go into the “Admin Tools“ folder, along with


CMD w/ network


runas.exe /env /user:Administrator “runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \”cmd\””


 


There’s a bug in Windows XP where certain controls running in this mode just won’t paint.  It seems to be fixed in Windows Server 2003.  Don’t know about Windows XP SP2.


 


CMD


runas.exe /env /user:Administrator “cmd”


 


Explorer w/ network. Enable “Launch folder windows in a separate process”, as both yourself & Administrator.


 


runas.exe /env /user:Administrator “runas.exe /user:%USERDOMAIN%\%USERNAME% /env /netonly \”explorer\””


 


Task manager


 


runas.exe /user:Administrator taskmgr.exe


 


Regedit


 


runas.exe /user:Administrator regedit.exe –m


 


The Admin Tools folder then becomes a toolbar on my taskbar.  With all this in place, I can get by as a normal user.

Comments (7)

  1. AT says:

    ;o)

    Completely agree

    Even more – no needs to ask Administrator account for user actions.

    But if user need to change something affecting not only his account – he must be prompted for login.

    Running select CPL’s as

    Administrator can change Administrator configuration instead of current user one.

    P.S> I wish ITG groups do not give Administrator password for Windows team development workstations or restrict Administrator account usage by time-limits (ex. 1 hour per day).

    This way Windows team will make it’s possible to run most of Windows apps without admin rights ;o))

  2. Bjoern Graf says:

    This is what OSX does and it makes it sooo easy to run as normal user and still being able to do administrative tasks without (fast-)swicthing users. Even the installer is smart enough to ask for roots password if it requires to do system canges (updates and friends).

  3. jaybaz [MS] says:

    Bjoern: I’m still not jealous.

  4. Drew says:

    "RANU" had me scratching my head for a minute. "Run(ning?) As (a) Normal User"? LUA, "Limited User Account", is the acronym de jour for this.

    On XP and Server 2003 (and maybe someone even backported the change to Win2k – I dunno), runas does "/profile" by default. If you’re trying to avoid the profile load you can use "/noprofile".

    The explorer and regedit tricks may not always work as expected. Explorer is single-instance per desktop by default, so you can end up spawning an explorer window in your LUA context instead of the admin’s. I’m pretty sure that regedit is always single-instance per desktop, so if there’s already one running you’ll only bring that to the front and focus on it. I don’t know whether taskman or the .cpls are single-instance.

    FUS (Fast User Switching) is probably the most painless way to avoid all of this hassle if the machine isn’t in a domain.

  5. jaybaz [MS] says:

    Drew: It looks like you’ve explored this pretty deeply. I’m glad to see that.

    regedit is single instance, unless you pass the -m flag.

    explorer is single instance unless you set the "Launch folder windows in a separate process" in the context that is doing the launching (administrator).

    RANU first mentioned in http://blogs.msdn.com/jaybaz_ms/archive/2004/06/21/161609.aspx.

  6. Bjoern Graf says:

    Oh, I didn’t meant to force anyone to switch or such a thing: I’m a happy XP user who happend to have the chance to play with OSX 🙂

  7. circuit_breaker says:

    anyone know of any good 3rd party file manager apps that would work well under an administrator secondary logon (that is what runas uses, right)? i want to find something portable to use so I don’t have to GP-enable every pc in my domain for explorer.exe ..