MakeMeAdmin

From nemesis855 - 8/23/05 4:42 PM

this could be a newbie oversight somewhere, but downloaded and ran MMA and this was the result:

LEANIRON = workgroup name 

Glenmont = Administrator

johnnyd = user

"Enter the password for LEANIRON\Glenmont:
[entered password. I went through this process twice]
Attempting to start C:\DOCUME~1\johnnyd\Desktop\MAKEME~1.CMD LEANIRON\johnnyd as user "LEANIRON\Glenmont" ...
RUNAS ERROR: Unable to run - C:\DOCUME~1\johnnyd\Desktop\MAKEME~1.CMD LEANIRON\johnnyd
5: Access is denied.

Press any key to continue . . ."

Any clue where to start debugging? 

From 69.81.23.3 - 12/17/05 11:49 AM

This is a great utility, but be careful! Be aware that you MUST NOT run it when you are already logged on as the admin user you are trying to switch to, or in fact logged on as any ANY member of Adminstrators. The problem is the script will remove the current user from the Adminstrators group, and if that is the current users only group then the current user will not be able to log back on after logging off or rebooting. If this happens to you one solution is to logon as another Administrator user in non-safe mode and execute: net localgroup %_Group_% %_Admin%_/ADD eg net localgroup Administrators %USERDOMAIN%\myuser /ADD This does not work in safe mode because it requires the Workstation service to be running, and the Workstation service will not start in safe mode. A partial solution, which at least avoids becoming MakeMeAdmin as the current user and then removing that user is to edit the script: if "%1"=="" ( if "%_Admin_%" == "%_User_%" ( echo You are already logged on as the admin user: %_Admin_% pause ) else ( runas /u:%_Admin_% "%~s0 %_User_%" if ERRORLEVEL 1 echo. && pause ) ) else ( ...same text...not changed... ) This will not avoid being one Administrator user and removing a different Administrator user. Performing that check would require identifying if the current user is already a member of Administrators. I'm not sure how to do that from the command line. I found this out accidentally late last night when I was too tired to realize which account I was logged onto!

From cluelesswonder567 [65.94.131.144] - 1/4/06 7:43 AM

i opened the program and it asked for my account password, but i couldn't type it in. Any suggestions?

From Aaron Margosis [66.92.150.174] - 1/5/06 5:15 AM

MakeMeAdmin invokes runas.exe.  When you type your password as prompted by runas, it doesn't echo any characters back to the screen.  Go ahead and type your password and press Enter.

From Patrick [130.123.128.114] - 1/11/06 8:12 PM

Hi Aaron,

If I already have a explorer window open (e.g. C:\, My Computer etc...) and then try launching "explorer /e" from a command prompt with Administrator privledges, then another instance of explorer appears but it doesn't have admin privledges. If I close all other explorer windows and then try again it works. I do have "Launch Folder Windows in a Separate Process" enabled.

Do you know why this behaviour is occurring ?

Regards,

Patrick 

From Aaron Margosis [206.165.183.170] - 1/12/06 6:50 AM

Patrick,

There are no rules or guarantees.  Explorer wasn't designed to support multiple simultaneous security contexts on the same desktop.  The fact that SeparateProcess helps support RunAs at all is an unintended side effect.  That's one of the reasons I always use PrivBar.

From Callie Jordan [209.216.169.190] - 1/12/06 10:06 AM

Oh dear, I'm afraid I got lost. I'm trying to fix up my friends/family as LUA but I *do* need to be able to explain how to do some of the things that they won't be allowed to as LUA. So it sounds like I should NOT show them MakeMeAdmin. I think all I've planned to do is have them use RunAs from the right click menu, which I thought I understood to grant Admin privileges for that *one* time use. Not only do they not need MakeMeAdmin if RunAs works as I thought I understood, but PrivBar etc would be more complicated than I think they can handle. Especially since I'm not physically at their computer and have to send them directions to do it themselves. Is Vista going to be any easier for the normal person to understand/use???

From Aaron Margosis [208.29.145.75] - 1/16/06 7:22 PM

Callie,

MakeMeAdmin is a tool to give the current user account temporary admin power.  Usually all you need is an admin account - not necessarily the same account that the user is currently using.  If all you need is admin privileges, RunAs can get that for you.  I should also add that RunAs requires that the admin account have a password; MakeMeAdmin requires that both the current account and the local admin account both have passwords.  For home users, Fast User Switching is usually the best way to switch between admin and unprivileged contexts, and in that case, blank passwords may also be better.  For more info, see http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx

From Callie Jordan [209.216.181.214] - 1/18/06 7:28 PM

Thanks for that clarification in RunaAs vis MakeMeAdmin. I've been using the advice from your "easiest way to run" original post for quite a while, thanks. But that reminds me --- my Fast User Switching stopped working. I haven't done any research yet about why not, but as it stands now I have to log out of the LUA acct in order to log in as Admin. I used to do it like you said with User A and User B, darn. But in the meantime, RunAs is also very useful. Thanks again.

From r00t440@yahoo.com [203.131.88.74] - 6/6/06 4:41 AM

Aaron, there are other security issues that would arise even when using MakeMeAdmin. Example, I tried using it to run a certain game (FreeStyleOnline), the game worked flawlessly, but clicking on one of the links of the game's Welcome/Splash screen spawned an Internet Explorer with access similar to that of an admin. With this spawned IE, I am able to delete any files from say "Program Files" which a restricted user cannot. In fact, I was also able to create a new user from this spawned IE, actually I can create a user belonging to Administrators group through this way which for me breaks security.

Perhaps it would be better if, we can set certain executables/programs to run with access similar to that of an admin but all of its child processes should have access of a user or better yet "guest". ^^

There's also "runasspc" (i use it), I don't know if your guys have tried it. 

"Fixing LUA bugs I and II" are greate guides. Way to go Aaron!

From AaronMargosis - 6/6/06 11:44 PM

r00t440 - I would submit that those are not security issues with MakeMeAdmin, since MMA is intended to be used by legitimate admins of the system.  Look at Fixing LUA Bugs Part II and running apps as admin - very high risk, and difficult-to-impossible to constrain.  The 3rd party tools I mentioned will prevent child processes from inheriting the admin token, but they won't prevent those apps from being misused.