While logged in to a Windows Desktop as a normal domain user (jonny) I wanted to be able to run the Active Directory Users and Computers snap-in as a Domain Admin user (adm-jonny) to do so requires using the ‘runas’ command.
When I had first tried using the ‘runas’ command I had problems related to permissions e.g. “The requested operation requires elevation”despite adding the Domain Admin user (adm-jonny) as an administrator on the local machine and running the command prompt as administrator and even using the runas command first to create a command prompt as the local administrator:
runas /user:MACHINENAME\administrator cmd
I then checked the user I was running as with whoami:
Although I would have expected this to have worked I kept getting error messages about elevation – so I had to resort to disabling UAC.
Disable UAC
To disable User Access Control in Windows 7 click: Start > Control Panel
Then type uac into the upper right search box
Next click on ‘Change User Account Control settings’
Set the slider to the bottom i.e. Never Notify
Note: Make sure you reboot after making this change!
Using Runas
Once I had disabled UAC I was able to successfully run the following command in a command prompt:
runas.exe /user:DOMAIN\adminusername "mmc c:\Windows\System32\dsa.msc"
So next I created a shortcut for the command, right-clicking the desktop and choosing New > Shortcut:
Next I entered the command with full paths to files:
c:\Windows\System32\runas.exe /SAVECRED /user:DOMAIN\adminusername "c:\Windows\System32\mmc.exe c:\Windows\System32\dsa.msc"
After creating the shortcut I right-clicked and chose Properties > Change Icon to set the icon to the mmc icon as follows:
Since you are one of the first Google responses I found for this, I wanted to present the solution that will avoid you from having to disable UAC.
Anything that requires elevation on your local PC can be solved this way as well:
C:\Windows\System32\runas.exe /user:domain\user /savecred “cmd /c mmc c:\console.msc”
The key is the cmd /c before typing mmc and the path to it which “carries out the command and then terminates”. This will prevent seeing a message about needing elevation and you can keep your UAC on your PC.
Just thought I would pass this along to anyone else who finds this through Google and wants a better solution.
Thanks Matt.
Even after disabling UAC I found that it would still throw a 740 error without the cmd /c in there. so that may be something for other people to try
Thanks Matt! That solved my problem!
I got an error with above, on Windows 7. However the following worked for me:
C:\Windows\System32\runas.exe /noprofile /user:domain\user “mmc”
You can put it in a .bat file, and save on desktop. Next time you need it, just double-click it, it will ask for password, give password, and you are in MMC as a domain\user.
Thanks
Excelent! Thks Matt
Great article thank you everyone. Question, is the cmd window supposed to stay open after the mmc appears? I can close the CMD. I can also close the MMC and the CMD closes.
Regards,
Rich
Here is how I get around the command prompt issue:
C:\Windows\System32\runas.exe /user:DOMAIN\USER “cmd /c start \”\” mmc %SystemRoot%\system32\dsa.msc”
I am deliberately leaving out the /SAVECRED parameter, as I want to be challenged each and every time for my admin password, and for the credentials NOT to be saved on my laptop. This opens a command prompt that justs asks for my password
It still opens the command prompt, but the moment ‘cmd /c’ passes to ‘start’, it closes the command prompt immediately.
I need to investigate why leaving out ‘cmd /c’ doesn’t work in a shortcut, as it works if I paste it into a command prompt:
C:\Windows\System32\runas.exe /user:DOMAIN\USER “start \”\” mmc %SystemRoot%\system32\dsa.msc”
Might look into that when I have the time.
Hi guys,
I’ve tried all of the above and none of them worked.
I need to run Active Directory like below:
runas /user:domain\username “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AD.msc”
I’m logged into the machine with a user from a domain, but I need to open AD with another user which is in a different domain that it’s included in my machine
Please let me know if you have any ideas.
Thank you in advance!