Saturday, June 11, 2016

Running RSAT Tools as a (Domain) Admin

Every Admin knows it's best practice not to use your domain administrator accounts as your regular logon account.  You're supposed to logon as a regular user account and then elevate your permissions as needed.
Then it's something of a contradiction that Microsoft provide the excellent Remote Server Administration Tools for Windows client OSes.  These allow you to administer most functions of a server from the comfort of your desktop or laptop (or tablet, I guess), providing you're using an account with the requisite permissions.

In my most recent PC build I decided to try and find a way to do my administration tasks using RSAT (and some other tools) without having to logon as someone else, or do the clunky SHIFT+Right-Click > Run as Different User (which incidentally no longer works in the Windows 8.x Start Screen or 10 Start Menu).

After spending a while going through a variety of options that didn't work, I found out that at some point I wasn't aware of, Microsoft added a new switch into the "runas" windows command called "/savecred".  This allows you to run something with different credentials and save the credentials you use for next time.  Brilliant!  Well, except for the fact that runas isn't very good at launching programs that have complex command-line arguments, it seems to be particularly bothered by nested quotes, something I'd need for launching the RSAT mmc consoles.

At some point recently I came across another handy command line tool called "nircmd", it's a 3rd party utility to help extend the command line with a bunch of abilities like editing the registry, creating shortcuts and elevating permissions.  Elevating permissions was something I needed because despite "runas" being able to run something as another user, it still wasn't running in an elevated context (like when you right-click and select "run as administrator"), meaning it couldn't launch RSAT tools properly.  Or at all.  Nircmd has a very handy switch called elevatecmd, which does exactly what I was after and it's not so bothered by complex command-line arguments.

Brilliant, so here's an example of how to run the Active Directory Users and Computers tool as a domain admin account:

C:\Windows\System32\runas.exe /savecred /user:domain\adminuser "nircmd elevate mmc gpedit.msc"

Now I've got that much, what I need next is a way to create the shortcuts for all those different admin tools without manually creating each one.
Thanks to some Powershell wizardry , I happen to have this short script:

param ( [string]$SourceExe, [string]$ArgumentsToSourceExe, [string]$DestinationPath )
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($DestinationPath)
$Shortcut.TargetPath = $SourceExe
$Shortcut.Arguments = $ArgumentsToSourceExe

If you save this as shortcuts.ps1 and run it with the following parameters it should drop a shortcut or your desktop (or change the path to put it wherever you like):

.\shortcuts.ps1 "C:\Windows\System32\runas.exe" "/savecred /user:domain\adminuser `"nircmd elevate mmc gpedit.msc`"" "C:\users\youruser\desktop\Group Policy Editor.lnk"

If you run the shortcut you'll be prompted for your admin credentials the first time, then after that it'll just run with no prompting.

Finally, the biggest part of this task was to get the name of all the admin tools and their mmc's or exe's, which I did and using Excel managed to concatenate together a script to create shortcuts to all the tools in one fell swoop.

To save you the trouble of doing the same, I've uploaded the RAR file below containing the shortcuts.ps1 mentioned above, and a copy of my Powershell script to create all the admin shortcuts I could find.  All you need to do is is search and replace mkshortcuts.ps1 to change the domain, user and output path to suit you.

And that's it!  I hope this makes your life that little bit easier, like it has mine.

No comments: