SoftTree Technologies SoftTree Technologies
Technical Support Forums
RegisterSearchFAQMemberlistUsergroupsLog in
RunAs and /V switch

 
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite View previous topic
View next topic
RunAs and /V switch
Author Message
awhayes



Joined: 17 Mar 2009
Posts: 3
Country: United States

Post RunAs and /V switch Reply with quote
I tried launching notepad on Windows XP as follows. If I don't include the /V switch, I get permission problems. Why the /V switch should have this effect is unclear to me when /V is defined as "use this switch if you want the launched process to appear on the interactive desktop". Is this switch obscuring the real problem? Or is the /V solving the problem? I assume the former since the app is not launched, i.e., not in task list. I appreciate any help. Thanks.

With /V switch:

C:\Downloads>runas <my>\ahayes <my> /V c:\Windows\system32\notepad.exe

RunAs version 2.2.1
Copyright (c) 2003-2007 SoftTree Technologies, Inc.

Logging in as ONEVISIONSW\ahayes...
Setting user environment...
Logged in. Impersonating...
Binding new process to the user Desktop...
Starting process c:\Windows\system32\notepad.exe...
Error #0: The operation completed successfully.

Without switch:

C:\Downloads>runas <my>\ahayes <my> c:\Windows\system32\notepad.exe

RunAs version 2.2.1
Copyright (c) 2003-2007 SoftTree Technologies, Inc.

Logging in as ONEVISIONSW\ahayes...
Error #1385: Logon failure: the user has not been granted the requested logon type at this computer.


Note: User account running RunAs must be assigned "Act as part of the operation system" rights and also have "Create token" rights. User account used to run the process must be assigned "Logon as a batch job" rights.
Wed Mar 18, 2009 10:16 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
This switch binds the launched application to your interactive desktop and it runs as an interactive application. If this switch is not specified, the application runs as a batch process on whatever desktop Windows decides to use (there are multiple desktops, only one is visible) and the “Run-As” user needs to have "logon as a batch" in order to run batch processes in that mode. However /V is not always appropriate for batch processes especially these that run when the system is locked down and the interactive desktop is not available. Naturally it is a security related issue in Windows. Hope this explanation clarifies the situation with /V switch.
Wed Mar 18, 2009 12:36 pm View user's profile Send private message
awhayes



Joined: 17 Mar 2009
Posts: 3
Country: United States

Post Reply with quote
Thanks for the response. Obviously I am missing something here. I have added the user to the User Rights in my local settings to allow the policies mentioned below: "Act as part of the operation system", "Create token" and "Logon as a batch job", but still cannot seem to launch notepad. I have restarted the machine. I don't seem to be able to run the command below from either the console or a batch file. When youo say the RunAs user, do you refer to the user specified in the runas command or the user actually executing the runas command?
Wed Mar 18, 2009 5:54 pm View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
Which user did you grant "logon as a batch" privilege? Process runner (e.g run-as) or process launcher?
Did you restart the system?
Is that a local user or domain user?
Thu Mar 19, 2009 8:18 am View user's profile Send private message
awhayes



Joined: 17 Mar 2009
Posts: 3
Country: United States

Post Reply with quote
First I tried my local machine. I granted the privileges to the domain user specified in the runas command, <my>\ahayes. This is a domain account and I was running under this account. I restarted every time after I changed any privileges. That didn't work so I asked IT to change the same privileges on the domain controller. That didn't appear to work either. Could you confirm what exactly needs to be done to enable these privileges to my domain account? Thanks for your help.
Thu Mar 19, 2009 9:04 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 7838

Post Reply with quote
If you use domain users then all security related changes should be done on the domain level because GPO overrides local policy settings. Also, the domain user should be a member of the Administrators group. If you user a local user, then all changes should be done locally using Local Security Policy and the user can but doesn't have to be in Administrators group.
Thu Mar 19, 2009 9:16 am View user's profile Send private message
Display posts from previous:    
Reply to topic    SoftTree Technologies Forum Index » 24x7 Scheduler, Event Server, Automation Suite All times are GMT - 4 Hours
Page 1 of 1

 
Jump to: 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


 

 

Powered by phpBB © 2001, 2005 phpBB Group
Design by Freestyle XL / Flowers Online.