August 05, 2011

Three uses for RunAs /netonly

RunAs has been a staple command for Windows XP administrators for many years and it has only partially been replaced by UAC’s “Run as administrator” on Windows 7. However, the value of the /NETONLY switch is something that is often overlooked. Here’s three use cases that show it’s worth:

1) Managing untrusted domains

If you ask any Active Directory expert they’ll tell you that you can’t log on at a computer unless the computer’s domain trusts the user’s domain. If you’re managing lots of totally separate Forests, you could end-up juggling a lot of Remote Desktop connections to run your admin tools in the various user contexts.

RunAs /NETONLY breaks the normal rules, allowing you to switch to any context, regardless of Forest/domain trusts.

C:\> runas /netonly /u:UntrustedDomain\User cmd.exe

2) Getting past Selective Authentication

A Forest trust may be in place, but Selective Authentication is often used to limit its use to specific computers - using the “Allowed to authenticate” permission. If you’ve ever seen the message below then you’ve been affected by this restriction:

Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine

RunAs /NETONLY punches through the “firewall”

C:\> runas /netonly /u:RestrictedDomain\User cmd.exe

3) Prevent unwanted UAC prompts

UAC was improved in Windows 7, but it can still confuse Administrators when a prompt pops up unexpectedly. Usually this is due to the RequestedExecutionLevel in the assembly manifest of the application being launched. If all you need is to switch context for remote permissions (e.g. Active Directory rights), the UAC elevation is unnecessary and gets in the way.

Avoid the confusion by using RunAs /NETONLY to prevent an unnecessary UAC prompt, when you don’t need local admin rights.

C:\> runas /netonly /u:Domain\User DSA.MSC


RunAs /NETONLY does not validate the password when it is entered. If you’ve made a typo, you won’t find out until a connection to a network resource is attempted.

WHOAMI.EXE will show the current interactive user and will not show details of the RunAS credentials – because there is no local logon.

No comments:

Post a Comment