I have an end-user that needs elevation to the mmc.exe diskmgmt.msc. The user will get access denied if they are a member of the network admin group. Is this something that can be fixed as there seems to be no subsitute. By adding control.exe ncpa.cpl will launch the control panel but properties still requires UAC and thus no way of accessing it. The user will need both actions for his role. Is there a better work-around/fix?

Thanks/
1.)
Running "SuRun diskmgmt.msc" works fine on my machine.
I'm a domain admin in our company.

My guess about the disk management is that in your domain a gpo or acl exists that denies all domain admins access to diskmgmt.msc. If this is the case, you need to run diskmgmt.msc in the elevated context of another user:
"SuRun /RunAs /User <SomeOtherUser> diskmgmt.msc"
If i was guessing wrong, tell me what happens so I can try to reproduce.

2.)
Control.exe will always run "cpl" files non elevated.
So just run "SuRun ncpa.cpl" and it will get elevated.
Thanks for the reply. For non-admin users diskmgmt.msc spawns mmc.exe, and that does the trick. But if the end-user is in the Network Administrators group specifically, diskmgmt.msc gets access denied. Soon as I remove them from that group it works again.

If I use surun ncpa.cpl it spawns it as an admin process so right clicking properties on the network card even using the standard user credentials for UAC will be elevated?
PS- We restrict only whats in the list so it provides an error if I say diskmgmt.msc as an invalid program.
If I leave it as is and use the surun for the ncpa I get:

SuRun options restrict You (MYDOM\test) to run specified applications only.

You are not permitted to start 'C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}' with elevated rights.

For disk management, it says mmc.exe is denied since the msc is spawning it. We are only allowing the endusers to use very specific tools from the list.
Are you in control of SuRun's white-list or are you a user?
I am admin trying to set this up for one of the teams here.
"surun ncpa.cpl" is resolved by SuRun to "C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}".

"surun diskmgmt.msc" is resolved to "C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\diskmgmt.msc"

So the entries in SuRun's whitelist for the users should be something like:
[WhiteList]
1="C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}"
2="C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\diskmgmt.msc"
[WhiteListFlags]
1=3
2=3
What I still don't understand is why Domain Admins cannot start "C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\diskmgmt.msc" with elevation.

Do you have any software restriction systems running?
I can do what I want I am a full admin, my endusers are restricted accounts and thus only want them to access these two things. I can add explorer.exe* with a wildcard and it works fine but I feel that can be too dangerous but that can work too?
jweinraub wrote: I can add explorer.exe* with a wildcard and it works fine but I feel that can be too dangerous but that can work too?
Yes, wildcards are no good idea to run specific programs.

But now i'm even more confused... When you add explorer.exe* to the white-list, you can run mmc.exe? :huh:
I am using 1.2.1.2.

The disk management works by
surun mmc.exe diskmgmt.msc
as mmc.exe needed to be elevated since dismgmt.msc is a snap-in.
surun ncpa.cpl
works now and I added the explorer.exe with the full guid that was there. I assume that will work for people that are using the same build of Windows 10, is that a universal thing?

Sorry for all the confusion I am sure what we are doing isn't that common. However, what I don't get is why I got access denied if the enduser was included into the built-in network admin group--the snapin loaded but the virtual drive manager received access denied.

For brevity and for others in a similar boat, this is my complete whitelist
[WhiteList]
0="C:\Windows\System32\ncpa.cpl"
1="C:\Windows\System32\mmc.exe diskmgmt.msc"
2="C:\Windows\explorer.exe /n, ::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}"
[WhiteListFlags]
0=3
1=3
2=3
The sunrun's I have saved as batch files for the end-users ease of access.

Thank you for your assistance
jweinraub wrote: However, what I don't get is why I got access denied if the enduser was included into the built-in network admin group--the snapin loaded but the virtual drive manager received access denied.
Please try SuRun1.2.1.3rc1.
It's perfectly safe to use.
I was too busylazy :blush: to release it.

SuRun 1.2.1.2 had a bug that sometimes did not elevate processes on semi privileged user accounts such as "backup operators".
This has been fixed in the 1.3.1.3 branch, so please try it on one machine to make sure it's not that bug.
Where is it? Sourceforge and the main website only seems to have the version I have.
Nevermind. But yes, it does work. Disk Management now surun's when user is in network admin. This is the best ideeal situation. Whilst the explorer with the guid works, it may not for everyone that may need it so this is the best.

Tausend dank!
Immer gerne.

SuRun is a spare time project that I started 11 years ago to ease working with Windows XP.
Never thought that it will still be used, so I became lazy in releasing the last rc. ;-)
I am glad I found it. It works fantastic and helped me in a really tight spot. Glad to see it still works in Windows 10.
Eine Antwort schreiben…
Impressum, Datenschutz