Re: RunAs

• Previous message: Beauford, Jason: "RE: E-Mail gateway on IIS."
• In reply to: Mario Platt: "Re: RunAs"
• Next in thread: k levinson: "RE: RunAs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-ms@securityfocus.com
Date: Tue, 14 Jun 2005 15:45:18 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

many thanks for all your contributions. I see I should be more precisely.
I have a w2k-box with scanner (HP). All users in my company can come to me
and use this scanner. But only an user with an admin-rights can use this
scanner. (Probably was the driver designed for W9x. I found not a W2k
version.) I (As Admin) can/will not waiting for someone scan requests and
scan some pics .... etc. (I have many others things to do :) )
To give an admin password at all users is also not really god idea.

I thought that I can create a kind of "weakAdmin" which can only use this
scanner (and can't install some software, remove users .... ) Every user can
then use scanner (as "weakAdmin") and the (power-)full Admin will be reserved
only for me. Or do you think it can be solved with an usergroup?

Anyway, I don't know how to set some advanced settings (for users and groups)
I can set only an user as (Admin, PowerUser or User)

@mario : our domain is little bit complex. We AFAIK we have linux-boxes (many
desktops and ca. 100 PCs in cluster), aix, sun, Win2k, WinXP(Home and Pro)
and probably also W98 ... Because we have many *nix machines I presume our
domain server is an *nix server

Many thanks in advice
Martin
On Monday 13 June 2005 17:45, you wrote:
> Hi Martin,
>
> Regarding your question, it is possible. But if you need to do
> something like that my suggestion is that you make specific consoles
> for these "administrators". Where they can only access that specific
> console, and it only has your defined actions. Also, look at the GPO
> features, you weren't specific on that so I don't know if these w2k
> machines are on a win2k/win2k3 domain or if it is a workgroup, either
> way you can assign GPO's that could do whatever you want.
> Anyway, what you are asking doesn't seem to have much to do with the
> runas feature. That feature only enables you to run an application
> with different rights than those that you logged in the network.
>
> Hope that helped...
>
> On 6/12/05, martin <gremagehan@web.de> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello,
> >
> > maybe I'm not understand the runas-feature, but it is not following the
> > same? 1.1) login as Admin
> > 1.2) double-click on some App
> > 2) call some Application as following: "runas /user:Administrator
> > <application.exe>
> >
> > I have W2K for workstations. I can create a new user with admin privilegs
> > but I don't see howto restrict some rights (e.g. my admin2 should be able
> > to install new applications but he should not be able create a new user)
> > Int is possible?
> >
> > Thanks in advice
> > Martin
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2 (GNU/Linux)
> >
> > iD8DBQFCrAaj9w5olJf0Oq8RAhj2AJwLcU07wUpiIFnv/W8cVIlRc5w+ZACfRrAF
> > MzW60F6u1reG/2Lxd8IOaiU=
> > =V3Wf
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------------------------
> >--
> > -------------------------------------------------------------------------
> >--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFCrt+69w5olJf0Oq8RAj97AKDc+1rZv4CxLCP5SK36U9CHdViKswCgtEfi
k2ctTgzJsKVuuC/ot2lKVz0=
=duWu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Beauford, Jason: "RE: E-Mail gateway on IIS."
• In reply to: Mario Platt: "Re: RunAs"
• Next in thread: k levinson: "RE: RunAs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]