Re: How to start cmd.exe BOTH as administrator locally AND domain admin?

User contexts are not additive - you cannot log on as user A, and run a program as user B, expecting the result to be a combination of A+B's rights.

RunAs will _discard_ the current user's context in favour of a different user's context.

What _is_ additive is the concept of group memberships - a user can be a member of several groups. What you need to do, in order to get domain and local administrator access is to create a domain account that is a member of the Domain Administrators group, and then make that account also a member of the local Administrators group on the machine you're working on. Or maybe you want all Domain Admins to be local admins, which you can do by adding the Domain Administrators group as a member of the local Administrators group.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(206)428-1991 | Try our NEW client software, WFTPD Explorer.

"HAL07" <yahoohal@xxxxxxxxxxxxxxxx> wrote in message news:uodcCMPjJHA.500@xxxxxxxxxxxxxxxxxxxxxxx
The new security model of Vista is nice. But I have the following problem: Some administrative actions cannot be started even if it's run under Domain Admins.
e.g. if I am domain admin and type NET STOP SPOOLER as domain admin, you get Access denied on the local Vista system.

I then made a shortcut for C:\Windows\System32\cmd.exe /c runas /user:domain\adminuser cmd.exe which will start CMD as adminuser.
I then right-click on this shortcut and press run as administrator.
But it's still giving me access denied.

I have some scripts that needs to be run as both Domain Admin, and Local Admin.
How do I do this , except for modifying all my scripts?


--
-- HAL07, Engineering Services, Norway
-- Info: social.technet.microsoft.com/Forums/ replaces a lot of the newsgroups

.

Relevant Pages

  • Re: Group Policy
    ... You have to keep attention of "Members of this group" and "This group is a member of". ... administrators group of all computers in the domain. ... restricted groups, however this GP setting will remove all the users ... The Domain User of the PC to be only added to his local administrators ...
    (microsoft.public.windows.server.active_directory)
  • Re: restricted groups for local admin rights
    ... I'm referring to local administrators and not domain administrators?) ... > describe you want to use the "member of" option for restricted groups. ... > way you can add a global group to the administrators group without affecting ...
    (microsoft.public.windows.group_policy)
  • Re: How to start cmd.exe BOTH as administrator locally AND domain admin?
    ... What you need to do, in order to get domain and local administrator access is to create a domain account that is a member of the Domain Administrators group, and then make that account also a member of the local Administrators group on the machine you're working on. ...
    (microsoft.public.windows.vista.security)
  • Re: Automatically assign user as administrator
    ... You can add a users domain account to the local administrators group on any member ... users currently in the local administrators group on those computers will be removed. ...
    (microsoft.public.win2000.security)
  • Re: NT 4 domain Admin group to XP local admin group
    ... If you know the local administrators password, ... get added to the local administrators group during a domain join. ... that you needed to add the domain admin ... | "Andy Halsall" wrote in message ...
    (microsoft.public.windowsxp.security_admin)