Vista, Domain Adminstration, & MMCs

Justin · External Since: Aug 22, 2006 Posts: 77

We are currently implementing the "best practice" method for those of us who
administer the domain (run with standard accounts, use separate accounts with
domain\exchange admin rights when needed), but in Vista, we cannot figure out
how to run a MMC Console as our admin accounts. When we do a RUNAS
/user:domain\adminaccount "MMC.exe mgmtconsole.msc", we get the following
error "740: The requested operation requires elevation". This also happens
when I run it from an elevated command prompt.

Josh · External Since: Nov 17, 2006 Posts: 39

runas doesn't get you a new token, hokey and we buged it but came back as
"by design" the best way is to right click a shortcut or setup one up to
run as admin.

--
Josh
http://windowsconnected.com
"Justin" <Justin.TakeThisOut@discussions.microsoft.com> wrote in message
news:C89AD702-6104-4394-874E-BC03C9058766@microsoft.com...
> We are currently implementing the "best practice" method for those of us
> who
> administer the domain (run with standard accounts, use separate accounts
> with
> domain\exchange admin rights when needed), but in Vista, we cannot figure
> out
> how to run a MMC Console as our admin accounts. When we do a RUNAS
> /user:domain\adminaccount "MMC.exe mgmtconsole.msc", we get the following
> error "740: The requested operation requires elevation". This also happens
> when I run it from an elevated command prompt.

Justin · External Since: Aug 22, 2006 Posts: 77

That does not work!!

If I tell it to "Run as Administrator", it runs it as a LOCAL ADMINISTRATOR.

That does not help if you need to authenticate as a
DOMAIN\ENTERPRISE\EXCHANGE ADMINISTRATOR. Our new corporate policy is that no
one is allowed to run interactively (unless that is the only option) as an
Domain\Etc. Admin. This is "Best Practices" from MS!

So what is MS going to do for us? Make Admins run WinXP?

I am sorry if my tone upsets anyone, but I spent 8hrs today beating my head
into the wall today trying to get this to work!

"Josh" wrote:

> runas doesn't get you a new token, hokey and we buged it but came back as
> "by design" the best way is to right click a shortcut or setup one up to
> run as admin.
>
> --
> Josh
> http://windowsconnected.com
> "Justin" <Justin.DeleteThis@discussions.microsoft.com> wrote in message
> news:C89AD702-6104-4394-874E-BC03C9058766@microsoft.com...
> > We are currently implementing the "best practice" method for those of us
> > who
> > administer the domain (run with standard accounts, use separate accounts
> > with
> > domain\exchange admin rights when needed), but in Vista, we cannot figure
> > out
> > how to run a MMC Console as our admin accounts. When we do a RUNAS
> > /user:domain\adminaccount "MMC.exe mgmtconsole.msc", we get the following
> > error "740: The requested operation requires elevation". This also happens
> > when I run it from an elevated command prompt.
>

OfficeXPSP3 · External Since: Nov 27, 2006 Posts: 6

Hi Justin,

I had the same frustration when I used RUNAS. I learned I need to set my
regular domain account as Local User, and then run one of the MMC once to put
it right above "All Programs", and then be able to use RUNAS as the way in
XP.
I CAN'T use RUNAS if the MMC is in "All Programs\Administrative Tools\".

After I prompted my regular domain account to Local Administrator group, I
CAN"T even use RUNAS as I described in the above.

One more thing I am not sure is "by design" or my stupidity is, at home, I
need to enable SSID boradcast to get my wireless card to detect my home
wireless netwrok. While I was on XP, I can disable SSID boradcast and enter
it manually along with WEP key to get connected. Has anyone experienced that?
THanks.

"Justin" wrote:

> That does not work!!
>
> If I tell it to "Run as Administrator", it runs it as a LOCAL ADMINISTRATOR.
>
> That does not help if you need to authenticate as a
> DOMAIN\ENTERPRISE\EXCHANGE ADMINISTRATOR. Our new corporate policy is that no
> one is allowed to run interactively (unless that is the only option) as an
> Domain\Etc. Admin. This is "Best Practices" from MS!
>
> So what is MS going to do for us? Make Admins run WinXP?
>
> I am sorry if my tone upsets anyone, but I spent 8hrs today beating my head
> into the wall today trying to get this to work!
>
> "Josh" wrote:
>
> > runas doesn't get you a new token, hokey and we buged it but came back as
> > "by design" the best way is to right click a shortcut or setup one up to
> > run as admin.
> >
> > --
> > Josh
> > http://windowsconnected.com
> > "Justin" <Justin.DeleteThis@discussions.microsoft.com> wrote in message
> > news:C89AD702-6104-4394-874E-BC03C9058766@microsoft.com...
> > > We are currently implementing the "best practice" method for those of us
> > > who
> > > administer the domain (run with standard accounts, use separate accounts
> > > with
> > > domain\exchange admin rights when needed), but in Vista, we cannot figure
> > > out
> > > how to run a MMC Console as our admin accounts. When we do a RUNAS
> > > /user:domain\adminaccount "MMC.exe mgmtconsole.msc", we get the following
> > > error "740: The requested operation requires elevation". This also happens
> > > when I run it from an elevated command prompt.
> >

Stuart [MVP] · External Since: Nov 20, 2006 Posts: 78

Well, I'd tell you to try the network password feature (previously found in
XP) but it looks like MS broke that as well (by no longer allowing DOMAIN\*
entries and not allowing one to re-sync network passwords with their
respective domains).

You can still use *.mydomain.com and enter a specific domain credential. You
can them reference any of their member servers/DCS's in your MMC (Connect
to...) option (assuming it supports that, not all do).

Regards,

Stuart.

"Justin" wrote:

> We are currently implementing the "best practice" method for those of us who
> administer the domain (run with standard accounts, use separate accounts with
> domain\exchange admin rights when needed), but in Vista, we cannot figure out
> how to run a MMC Console as our admin accounts. When we do a RUNAS
> /user:domain\adminaccount "MMC.exe mgmtconsole.msc", we get the following
> error "740: The requested operation requires elevation". This also happens
> when I run it from an elevated command prompt.

Stuart [MVP] · External Since: Nov 20, 2006 Posts: 78

I just ran across this. Does it help?

Windows Connected

Windows Vista Tip: Run as administrator
Today, December 01, 2006, 2 hours ago | Josh
Now that you have begun your Windows Vista testing you may find that you are
struggling a bit with performing remote admin operations on your Windows
Vista workstation like you used to on Windows XP. In Windows XP right
clicking on a shortcut in the start menu and selecting "Run as" would always
prompt you for the credentials you wanted to use to perform an operation. In
Windows Vista if you are a local administrator on the workstation the default
behavior doesn't prompt you for credentials, it presents with what is called
a Consent UI. Basically it makes the assumption that since the ID that you
are logged in with is an admin on the local workstation that the admin
operation that you are about to perform just needs your full token.

This assumption can be false in companies that have adopted the best
practice of maintaining a separate ID to perform administrative operations.
So even though you are an admin on your workstation your logon account has no
real rights to your domain. Here is a quick way to change the behavior of
that prompt to revert it to something more like Window XP.

Step 1.) Launch GPedit.msc with administrative rights.

Step 2.) Browse to Windows Settings | Local Policies | Security Options

Step 3.) Scroll down to User Account Control: Behavior of the elevation
prompt for administrators in Admin Approval Mode and double click

Step 4.) Change this value from Prompt for Consent to Prompt for Credentials

This will make every admin operation prompt you for credentials while it is
great if you do a lot of remote operations it can become tedious if you are
performing a lot of local admin operations. Additionally, if the process you
are running requires both local admin and remote admin rights you will need
to make sure that your admin account for the remote operation is also an
admin on your workstation as well.

Bonus Tip: If your machine is a member of the domain and you are trying to
use a local admin account in a credentials prompt you can put .\ in front of
the ID and the domain will automatically change your local workstation.

"Justin" wrote:

> That does not work!!
>
> If I tell it to "Run as Administrator", it runs it as a LOCAL ADMINISTRATOR.
>
> That does not help if you need to authenticate as a
> DOMAIN\ENTERPRISE\EXCHANGE ADMINISTRATOR. Our new corporate policy is that no
> one is allowed to run interactively (unless that is the only option) as an
> Domain\Etc. Admin. This is "Best Practices" from MS!
>
> So what is MS going to do for us? Make Admins run WinXP?
>
> I am sorry if my tone upsets anyone, but I spent 8hrs today beating my head
> into the wall today trying to get this to work!
>
> "Josh" wrote:
>
> > runas doesn't get you a new token, hokey and we buged it but came back as
> > "by design" the best way is to right click a shortcut or setup one up to
> > run as admin.
> >
> > --
> > Josh
> > http://windowsconnected.com
> > "Justin" <Justin.RemoveThis@discussions.microsoft.com> wrote in message
> > news:C89AD702-6104-4394-874E-BC03C9058766@microsoft.com...
> > > We are currently implementing the "best practice" method for those of us
> > > who
> > > administer the domain (run with standard accounts, use separate accounts
> > > with
> > > domain\exchange admin rights when needed), but in Vista, we cannot figure
> > > out
> > > how to run a MMC Console as our admin accounts. When we do a RUNAS
> > > /user:domain\adminaccount "MMC.exe mgmtconsole.msc", we get the following
> > > error "740: The requested operation requires elevation". This also happens
> > > when I run it from an elevated command prompt.
> >