1

I'm working with a tool that runs programs on behalf of hundreds users on multiple machines. This works fine on Linux because I can just run as "root" and use su or sudo to impersonate them without a password.

On Windows, runas has the "/savecred" option, but that won't help if there are hundreds of machines and hundreds of users. Typing 10,000 passwords that I should not know just isn't going to happen.

On the accounting side, this work should be done by the user who requested it so becoming their account is the right thing to do.

Now, I was under the impression that there was an ACL that could be applied to an account that would allow it to run a process as another user without requiring a password. Has anyone heard of this? I've dug around here already and no such luck.

If there is, how do you set it up and can I make use of runas or do I have to write a C/C++ app to make my own tool?

Thanks!

RandomInsano
  • 451
  • 1
  • 5
  • 19
  • 1
    there is probably an easier way to do what you need to get done, what is it your are trying to do? – Sum1sAdmin Dec 20 '17 at 17:21
  • 1
    I don't know about Windows local accounts, but it is possible to impersonate Active Directory accounts. Fairly straightforward in .NET, so you wouldn't need to do it in C/C++. – Greg Askew Dec 20 '17 at 17:33
  • @Sum1sAdmin: This app automatically controls long running processes from a command line. They're arbitrary programs, but the essence is this: Run three days of computing on that box over there so I don't have to do it on my machine. Some companies need to be secure, so every invocation should have its own temporary storage, network shares, access rules, etc. I'm being purposely vague though, hopefully it's not too cumbersome to think about. – RandomInsano Dec 20 '17 at 17:44
  • It is a little cumbersome, - do you want these programs to run inside a real users session? you want to impersonate them without their knowledge or you want to administer their environments? - it sounds like a botnet, I don't see the application within scheme of things – Sum1sAdmin Dec 20 '17 at 17:54
  • Real sessions, they'll know we're doing it, we're just running programs. Imagine... notepad, but where it needs to run some heavy operation. – RandomInsano Dec 20 '17 at 18:39
  • I know administrators can create scheduled tasks to run as the currently logged on user, but if the user is not actively logged on you may want to look into impersonation: https://technet.microsoft.com/en-us/library/cc961980.aspx – twconnell Dec 21 '17 at 18:03
  • @GregAskew Does Impersonate require the user's password? – uSlackr Dec 22 '17 at 18:36
  • 1
    @uSlackr: No, an account can be impersonated without the password. – Greg Askew Dec 22 '17 at 18:52

0 Answers0