How to start cmd.exe BOTH as administrator locally AND domain admin?

February 12, 2009

The new security model of Vista is nice. But I have the following problem: Some administrative actions cannot be started even if

it's run under Domain Admins.

e.g. if I am domain admin and type NET STOP SPOOLER as domain admin, you get Access denied on the local Vista system.

I then made a shortcut for C:\Windows\System32\cmd.exe /c runas /user:domain\adminuser cmd.exe which will start CMD as adminuser.

I then right-click on this shortcut and press run as administrator.

But it's still giving me access denied.

I have some scripts that needs to be run as both Domain Admin, and Local Admin.

How do I do this , except for modifying all my scripts?

--

-- HAL07, Engineering Services, Norway

-- Info: social.technet.microsoft.com/Forums/ replaces a lot of the newsgroups

February 18, 2009

User contexts are not additive - you cannot log on as user A, and run a

program as user B, expecting the result to be a combination of A+B's rights.

RunAs will _discard_ the current user's context in favour of a different

user's context.

What _is_ additive is the concept of group memberships - a user can be a

member of several groups. What you need to do, in order to get domain and

local administrator access is to create a domain account that is a member of

the Domain Administrators group, and then make that account also a member of

the local Administrators group on the machine you're working on. Or maybe

you want all Domain Admins to be local admins, which you can do by adding

the Domain Administrators group as a member of the local Administrators

group.

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.

"HAL07" <yahoohal@online.yahoo.com> wrote in message

news:uodcCMPjJHA.500@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> The new security model of Vista is nice. But I have the following problem:

> Some administrative actions cannot be started even if it's run under

> Domain Admins.

> e.g. if I am domain admin and type NET STOP SPOOLER as domain admin, you

> get Access denied on the local Vista system.

>

> I then made a shortcut for C:WindowsSystem32cmd.exe /c runas

> /user:domainadminuser cmd.exe which will start CMD as adminuser.

> I then right-click on this shortcut and press run as administrator.

> But it's still giving me access denied.

>

> I have some scripts that needs to be run as both Domain Admin, and Local

> Admin.

> How do I do this , except for modifying all my scripts?

>

> --