Forum: SuRun English speaking RSS
Does SuRun supports domain login and global group
Simon (Guest) #1
No profile available.
Link to this post
Subject: Does SuRun supports domain login and global group
Hi Everyone,

I am not an admin type so please forgive me if my question is silly.

At home I often take my son's account in and out of the administrator group. It's easy to do with either the MMC or the "net localgroup" command. At work we need to deploy something to let users with no admin rights to run a certain scripts. I just checked MMC and don't find my name listed in local users. I assume other users (who do not have admin rights) will be in the same situation. Will SuRun work in domain login environment? Second part of the question: will our administrator be able to add a bunch of domain users in the SuRunners local group?

Regards,
Simon
Kay (Administrator) #2
User title: Weltverbesserer
Member since Nov 2007 · 1508 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
SuRun should work in a Domain. I don't know if a Domain Admin can add users to local groups. A user who wants to use SuRun must be member of the local SuRunners group. A user also can be member of a domain group that is member of the local SuRunners group.

There are some things I want you to know:
As the SuRun service is a "local service", it can only create user tokens that have the privileges of local Admins.
Also in Domain environments SuRun needs to store the user password in the local Registry because it needs to logon the user on the domain controller. (This is a potential security risk since the location and encryption of the passwords are known)

I guess that it will not be possible to modify or create new domain users using SuRuns "Start as administrator" token. I think that you need to use "SuRun /RunAs .." for that task.

I usually don't use domains, so domain support in SuRun is poor.
Sadeghi85 #3
Member since Jul 2010 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
Hi Kay,

At work I need to let a domain user run a certain program as Admin. I added the user to SuRunners group and the program to the list. Running that program from user account would give an error if I chose "hide SuRun from this user" option...

I found two way of doing that, however neither are optimal.

The first one was to use SuRun's "Run as..." (the option in the "advanced" tab) and let SuRun remember the Admin password. The problem is the user could run any program as Admin...

The second one was to uncheck "Display user status in taskbar" and check "User can only run predefined prog...". The problem is the user would eventually find the SuRun applet in the Control Panel and could change the settings...

Is there a way to hide the SuRun applet from user or fix "hide SuRun from this user" option?

Thanks.
Kay (Administrator) #4
User title: Weltverbesserer
Member since Nov 2007 · 1508 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Whoops. I never tried that myself...

There's currently no direct way to hide SuRun from domain users.
SuRun needs to store the user's real password to get a user token that is valid on the DC.
When you choose "hide SuRun from this user" SuRun silently quits instead of asking for the password.

What works somehow is:
  • Don't hide SuRun from the user
  • Start one program "As Administrator" (This will store the password)
  • Tell SuRun to hide from the user
Then the password is saved and the Apps to start automatically elevated should work.

I'll add an option to store a user's password in SuRun Settings.
Sadeghi85 #5
Member since Jul 2010 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
Thank you! :)
Sadeghi85 #6
Member since Jul 2010 · 8 posts
Group memberships: Mitglieder
Show profile · Link to this post
I tried it today and it worked. As per your explanation, I had to enable "Store and use real user password".

"Hide SuRun" option still doesn't work, but no worries as the SuRun applet now asks for the Admin password, which is good.

Thanks!
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Not logged in. · Lost password · Register
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Page created in 47.8 ms (24.3 ms) · 69 database queries in 10 ms
Current time: 2019-08-20, 14:48:19 (UTC +02:00)