December 06, 2004
Running as Non-Admin, Day 6Non-admin has been working so well on my main desktop, I decided to switch my laptop over too.
Things worked fine, as they did on my desktop machine. But when I logged on as Administrator to remove my domain account from the Administrators group, I had a message on the taskbar telling me that the system could not find a certificate to log me on to the wireless network.
Microsoft has a wireless network on campus, and you need to obtain a certificate to be able to access it. You have to be connect to the physical (meaning non-wireless -- what do you call that? A land line?) network to get the certificate. I hadn't realized that the certificate was actually tied to the account you logged in as, but evidently it was. In fact some testing confirmed that if you login as an account that does have a wireless certificate, and then log on as an account that does not, you have wireless network connectivity for about 30 seconds while it figures this out, and then it cuts you off.
I imagined some future day where I would be on the wireless network and needing to do something as local Administrator, but also need to get on the wireless network. One example would be briefly adding my domain account back to the Administrators group. To do this in the UI, you have to log off, log back on as Administrator, and then add your domain account to the Administrators group, which requires browsing the domain, which you couldn't do if you lost your wireless connectivity when you logged on as Administrator.
(I will interrupt myself at this point to mention that Aaron Margosis's excellent MakeMeAdmin script solves this problem, by allowing you to temporarily add your domain account to the Administrators group without a) logging on as Administrator or b) using the UI. This is basically all you need, since once your local account is administrator you have no need to actually log on as local Administrator. But there seem to be some cases where you can't do the stuff you need from the command prompt, so I'll continue on my quest. It also occurs to me as I am writing this that I could stay logged on as my domain account, therefore preserving my wireless connectivity, and run the computer management MMC console as the local administrator. This would work, but MakeMeAdmin.cmd is much easier and simpler.)
Anyway, I decided I should get a wireless certificate for my laptop's Administrator account.
The first step was to go to the appropriate corporate network site. This requires my domain credentials. But when I right-click on Internet Explorer in the Start menu, it doesn't have "Run As" as an option. Aaron, once again, comes to the rescue, pointing out in his RunAs With Explorer post that although "Run As" is not available when you right-click on IE from the Start Menu OR the desktop shortcut, it IS available when you right-click on it from the Quick Launch area (the little icons just to the right of the Start button). I was browsing his site on my desktop, so I tested this there -- first I had to turn on Quick Launch from taskbar Properties -- and indeed that IE icon has the full set of options. Why does this one have it but the other two (Start menu and desktop) don't? HTFSIK!!! But I hate things like this where somebody at Microsoft obviously did some thinking about this, and either missed one case, or made a choice I disagree with.
Moving right along, I switch over to my laptop, which is logged in as Administrator, enable Quick Launch on the taskbar...and there's no IE icon. I have no idea why, and a quick spin through IE config shows no obvious way to turn it on.
Well, not a big deal, I can just do Aaron's other suggestion, which is to use runas.exe to run iexplore.exe (which is IE) as my domain account. So I type "runas.exe /user:[my domain account] iexplore.exe". Only problem is, it can't find iexplore.exe. I launch IE from the Start menu and confirm the process is indeed called iexplore.exe. I guess it's not in my path? I run "dir /s iexplore.exe" from c:\, and it comes up blank. Well, grand maux, grand remedes, as they say. So I fire up Monad and run "get-process iexplore.exe | pick Path" which 'fesses up that the file is in "\Program Files\Internet Explorer". But it's still hidden from dir, unless you use the /a:s switch. At least the hiding of the file from dir doesn't block you from running it, so now I can use runas.exe to get IE up as my domain account.
(Digression: Internet Explorer will prompt you for credentials on websites as needed, but as I browse the corporate network looking for the page to set up wireless certificates I get prompted about 5 times, so it's not very convenient unless I want IE to cache my domain password, which I really don't.)
Eventually I made it to the internal website where you set up your wireless certificate. It warns that if the user and machine account are not in the same domain it "may" not work, and also that you have to be local admin to set up the certificate (which is reasonable). You actually need two certificates, one for the computer and one for the user (I presumably have the computer one but don't have the user one for the local Administrator account).
It turns out that domain accounts are set for Auto Enrollment, meaning when you join the computer to a domain, it automatically obtains client and computer certificates. This also means that the case of trying to add a user certificate is unusual...but nonetheless the instructions are excellent, with screen shots of every dialog box. Score one for Microsoft IT.
SADLY when I get down to the end of things, I can't add a certificate for the local Administrator account. The specific error is inability to browse the Active Directory, but I don't know if this is just a bump in the road that could be overcome if I knew how, or a by-design feature whose effect (preventing you from getting a wireless certificate for a non-domain account) is actually intentional.
So I can't use the wireless net as local Administrator...luckily, with clever stuff like MakeMeAdmin.cmd, I shouldn't ever have to. Unfortunately the same could not necessarily be said for Joe Random User.
Posted by AdamBa at December 6, 2004 01:21 PM
TrackBack URL for this entry:
You can drop a shortcut from your Start Menu into a MakeMeAdmin command prompt (well, any command prompt) and hit Enter to launch it. To run a file, simply type 'start', a space, then drop the file you want to run, and hit Enter.
I'm doing this a lot at the moment as I'm maintaining/enhancing an application server written using VB6 which consists of a bunch of COM DLLs, a COM server, and a main server which needs write access to the Windows directory (don't ask) for config changes. VB6 basically doesn't work if you're not an admin. VS.NET is a lot more polite but it still needs to be able to write to HKEY_CLASSES_ROOT for a COM component's class and interface information.
The .NET Framework SDK tool tlbimp doesn't work properly if you're not an administrator, either. For my requirement (building Primary Interop Assemblies for the above tool) it complains that invalid strong name parameters were supplied.
Posted by: Mike Dimmick at December 6, 2004 03:44 PM
Interesting- when I run dir /s iexplore.exe, it correctly locates the Internet Explorer directory:
C:\>dir /s iexplore.exe
Volume in drive C has no label.
Volume Serial Number is 6CDE-XXXX
Directory of C:\Program Files\Internet Explorer
08/03/2004 11:56 PM 93,184 iexplore.exe
1 File(s) 93,184 bytes
Good to know that monad was able to locate this director for you regardless.
Posted by: Greg Chappell at December 6, 2004 05:53 PM
Mike, that's interesting about being able to drop a shortcut into the command prompt! But when I do it with desktop shortcuts (like IE), it only drops the .lnk file, which doesn't seem to work with start or runas.exe.
Greg, I'm running XP SP2, don't know if that affects it. I always thought of /a:s as a filter, not something that would enable viewing a file you couldn't see otherwise, but I guess when this change was made /a:s was repurposed for that (figuring that anyone who used it really did want to see system files).
Posted by: Adam Barr at December 6, 2004 10:46 PM
I love reading these "run as non-admin" type articles. Thanks for the pointer to Aaron's blog.
The thing is, I used to be a hardcore unix zealot. One of the main reasons I "converted" to Windows was for administrator easy of use. i.e. There is a GUI for almost every admin task and the command line is not necessary. I just couldn't see Unix becoming mainstream with the pain and knowledge it took (and still does) to administor.
As a software developer who runs as admin, and someone who's burned reguarily by other software developers who run as admin, I'm sympathetic to the cause. I will not run as non-admin though if it requires all this massive hoop-jumping-through-crap that you and Aaron and many others are helping document at last.
I guess I must wait for Longhorn, which is too bad. Service packs to these problems for W2K and WinXP would probably be appreciated by more than just me.
On a related note, I'm not sure if I will be a good user of Monad or not. As someone who came from the Unix world, it took me years to get over my love of csh. That being said, I AM over it. I love not having to use the command line for anything (although you wouldn't have caught me using a Mac pre-OS X due to the fact that a command line wasn't even an option).
I guess I'm happy that Windows is finally getting some of the (IMHO) killer features of Unix (sudo, csh, user switching, etc.). I'm just not likely to use them anymore though. Such is life.
Posted by: Michael Maddox at December 7, 2004 04:39 AM