Forum: SuRun English speaking RSS
Elevation fails if user is in network admin group
jweinraub #1
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
Subject: Elevation fails if user is in network admin group
I have an end-user that needs elevation to the mmc.exe diskmgmt.msc.  The user will get access denied if they are a member of the network admin group.  Is this something that can be fixed as there seems to be no subsitute.  By adding control.exe ncpa.cpl will launch the control panel but properties still requires UAC and thus no way of accessing it.  The user will need both actions for his role. Is there a better work-around/fix?

Thanks/
Kay (Administrator) #2
User title: Weltverbesserer
Member since Nov 2007 · 1494 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
1.)
Running "SuRun diskmgmt.msc" works fine on my machine.
I'm a domain admin in our company.

My guess about the disk management is that in your domain a gpo or acl exists that denies all domain admins access to diskmgmt.msc. If this is the case, you need to run diskmgmt.msc in the elevated context of another user:
"SuRun /RunAs /User <SomeOtherUser> diskmgmt.msc"
If i was guessing wrong, tell me what happens so I can try to reproduce.

2.)
Control.exe will always run "cpl" files non elevated.
So just run "SuRun ncpa.cpl" and it will get elevated.
jweinraub #3
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
Thanks for the reply.  For non-admin users diskmgmt.msc spawns mmc.exe, and that does the trick.  But if the end-user is in the Network Administrators group specifically, diskmgmt.msc gets access denied.  Soon as I remove them from that group it works again. 

If I use surun ncpa.cpl it spawns it as an admin process so right clicking properties on the network card even using the standard user credentials for UAC will be elevated?
jweinraub #4
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
PS- We restrict only whats in the list so it provides an error if I say diskmgmt.msc as an invalid program. 
If I leave it as is and use the surun for the ncpa I get:

SuRun options restrict You (MYDOM\test) to run specified applications only.

You are not permitted to start 'C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}' with elevated rights.

For disk management, it says mmc.exe is denied since the msc is spawning it.  We are only allowing the endusers to use very specific tools from the list.
Kay (Administrator) #5
User title: Weltverbesserer
Member since Nov 2007 · 1494 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Are you in control of SuRun's white-list or are you a user?
jweinraub #6
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
I am admin trying to set this up for one of the teams here.
Kay (Administrator) #7
User title: Weltverbesserer
Member since Nov 2007 · 1494 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
"surun ncpa.cpl" is resolved by SuRun to "C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}".

"surun diskmgmt.msc" is resolved to "C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\diskmgmt.msc"

So the entries in SuRun's whitelist for the users should be something like:
[WhiteList]
1="C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}"
2="C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\diskmgmt.msc"
[WhiteListFlags]
1=3
2=3

What I still don't understand is why Domain Admins cannot start "C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\diskmgmt.msc" with elevation.

Do you have any software restriction systems running?
jweinraub #8
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
I can do what I want I am a full admin, my endusers are restricted accounts and thus only want them to access these two things.  I can add explorer.exe* with a wildcard and it works fine but I feel that can be too dangerous but that can work too?
Kay (Administrator) #9
User title: Weltverbesserer
Member since Nov 2007 · 1494 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
In reply to post #7
What I completely forgot to ask: Are you using SuRun 1.2.1.3rc1? http://forum.kay-bruns.de/post/4076
Kay (Administrator) #10
User title: Weltverbesserer
Member since Nov 2007 · 1494 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
In reply to post #8
Quote by jweinraub:
I can add explorer.exe* with a wildcard and it works fine but I feel that can be too dangerous but that can work too?

Yes, wildcards are no good idea to run specific programs.

But now i'm even more confused... When you add explorer.exe* to the white-list, you can run mmc.exe? :huh:
jweinraub #11
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
I am using 1.2.1.2.

The disk management works by
surun mmc.exe diskmgmt.msc
as mmc.exe needed to be elevated since dismgmt.msc is a snap-in. 
surun ncpa.cpl
works now and I added the explorer.exe with the full guid that was there.  I assume that will work for people that are using the same build of Windows 10, is that a universal thing? 

Sorry for all the confusion I am sure what we are doing isn't that common.  However, what I don't get is why I got access denied if the enduser was included into the built-in network admin group--the snapin loaded but the virtual drive manager received access denied.

For brevity and for others in a similar boat, this is my complete whitelist

[WhiteList]
0="C:\Windows\System32\ncpa.cpl"
1="C:\Windows\System32\mmc.exe diskmgmt.msc"
2="C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}"
[WhiteListFlags]
0=3
1=3
2=3

The sunrun's I have saved as batch files for the end-users ease of access.

Thank you for your assistance
Kay (Administrator) #12
User title: Weltverbesserer
Member since Nov 2007 · 1494 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Quote by jweinraub:
However, what I don't get is why I got access denied if the enduser was included into the built-in network admin group--the snapin loaded but the virtual drive manager received access denied.

Please try SuRun1.2.1.3rc1.
It's perfectly safe to use.
I was too busylazy :blush:  to release it.

SuRun 1.2.1.2 had a bug that sometimes did not elevate processes on semi privileged user accounts such as "backup operators".
This has been fixed in the 1.3.1.3 branch, so please try it on one machine to make sure it's not that bug.
jweinraub #13
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
Where is it?  Sourceforge and the main website only seems to have the version I have.
Nevermind.  But yes, it does work.  Disk Management now surun's when user is in network admin.  This is the best ideeal situation.  Whilst the explorer with the guid works, it may not for everyone that may need it so this is the best. 

Tausend dank!
This post was edited on 2018-11-16, 17:16 by jweinraub.
Kay (Administrator) #14
User title: Weltverbesserer
Member since Nov 2007 · 1494 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Immer gerne.

SuRun is a spare time project that I started 11 years ago to ease working with Windows XP.
Never thought that it will still be used, so I became lazy in releasing the last rc. ;-)
jweinraub #15
Member since Nov 2018 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
I am glad I found it.  It works fantastic and helped me in a really tight spot.  Glad to see it still works in Windows 10.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Not logged in. · Lost password · Register
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Page created in 118.8 ms (79.7 ms) · 137 database queries in 14.6 ms
Current time: 2019-04-24, 18:36:24 (UTC +02:00)