Configure and troubleshoot Secondary Logon service
Secondary Logon can be hidden from the GUI, so one doesn’t see the option “Run as different user” when starting a program with this DWORD value:
[HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Policies \Explorer]
HideRunAsVerb = 1More Info MS KB830568
Note with Win2k SP4 a new policy was created making it possible to configure what accounts(Default:Administrators and SYSTEM), which are allowed to impersonate other accounts:
- Open Control Panel and open Administrative Tools and double click Local Security Policy
- Expand Local Policies and click User Rights Assignment
- In the right pane double click Impersonate a client after authentication
- Press Add… to enable other users to impersonate other accounts
More Info MS KB821546
Note one can also run applications as another user from the command line using “RUNAS”, though in Win2k it will prompt for password unless using Sanur, CPUA, LSrunas or Steel Run-As. WinXP Professional (Not Home) extends “RUNAS” with the /savecred option where one is only prompted for the password once. To see all options available:
runas /?
More Info MS KB294676
More Info MS KB893677
Note in WinNT4 one can use the Super User Service Starter SUSS.EXE and the tool SU.EXE (Found in the NT reskit):
SUSS.EXE -install
ECHO Password SU.EXE Username UserMgr.exe SU_USERNAME - Environment variable for default user name to SU.
SU_PASSWORD - Environment variable for password to SU. Avoids password prompting.
SU_DOMAIN - Environment variable for domain name referenced by SU.
SU_COMMANDLINE - Environment variable for command line run by SU.
SU_DESKTOP - Environment variable for windowstation and desktop targeted by SU.More Info MS KB829640
Note another way of running an application as another user is to create a scheduled task where it is possible to specify username and password.