MakeMeAdmin -- temporary admin for your Limited User account

Article
07/24/2004

[added March 11, 2005: Important follow-up here: https://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx ]

[edited Aug 6, 2012: That follow-up post now includes the MakeMeAdmin.zip download, as the original hosting server is being decommissioned.]

Common scenario: you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.). When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account. You quickly realize two things:

The program running as local Administrator cannot access network resources, since your local account is recognized only on your own computer; and
Any per-user settings apply to the local Administrator’s profile, not to the profile you normally work with.

The first problem often occurs when installing software from a network share, or an ActiveX control from an intranet site that uses Windows authentication. An area where the second problem crops up is with applications that assume that it will be installed by the same user who will use it. Some apps also have a “run-once” problem, in which the app needs to be executed one time with admin privileges. For some, such as Windows Messenger 4.x, each user has to run it one time with admin privs.

The per-user settings problem also occurs with the Power Options applet in Control Panel, which modifies both per-machine and per-user settings. When you use it from an unprivileged account, an error occurs writing the per-machine settings, so the per-user settings never get written. When you use it from the local admin account, the per-user settings you write are for the local admin account, not the account you normally use.

There are a number of ways to address the network access problem. The first of these that I’ll describe also addresses the user profile problem.

Elevating your normal account to admin

The only effective way I know of to address the user profile issue is to make your “normal” account an administrator. The trick is to do it for the least amount of time necessary.

The long and painful way

Using an admin account, you can add your normal account into the Administrators group, but that change doesn’t take effect until the next time you log on. If you’ve tried this, you’ve probably noticed that it’s a pain to add your domain user account into the Administrators group using the GUI – first you need to use RunAs to run the Computer Management / Local Users and Groups console; you then get prompted for network credentials to resolve the domain names because your local admin account isn’t recognized. And then when you’re done with all that, your current logon still doesn’t have admin privileges because changes to groups and privileges only take effect on subsequent logons. Finally, you need to remember to remove yourself from the Administrators group and then log back in again to make that change take effect.

“MakeMeAdmin”

MakeMeAdmin.cmd addresses all of these issues. When you run it, you get a Command Prompt running under your normal user account, but in a new logon session in which it is a member of the Administrators group. This Command Prompt and any programs started from it use your regular profile, authenticate as you on the network, but have full local admin privileges. All other programs continue to run with your regular, unprivileged account.

How does it work? Remember a moment ago when I mentioned that changes to groups and privileges take effect only on subsequent logons? The critical thing to understand is that you do not actually need to log out in order to log on. If you use RunAs to start a process with your current account, it creates a new logon session and builds a new token, taking into account group memberships in effect at that instant. MakeMeAdmin.cmd invokes RunAs twice, prompting you first for your local admin password, then for your current account password. The bit that runs as local administrator does the following:

Adds your current account to the local Administrators group (using NET LOCALGROUP, avoiding the problem of needing network credentials to resolve names);
Invokes RunAs to start a new instance of cmd.exe using your current account, which is at this instant a member of Administrators;
Removes your current account from the local Administrators group.

The result of the second step is a Command Prompt running in a new logon session, with a brand new token representing your current account, but as a member of Administrators. The third step has no effect on the new cmd.exe’s token, in the same way that adding your account to Administrators does not affect any previously running processes.

The zip file (attached to this post) also includes a less-privileged version, MakeMePU.cmd, which temporarily elevates you to Power Users instead of Administrators.

A very brief bit about processes and tokens

I’ll try to keep this as brief and broad-brush as possible. What follows is not 100% accurate and complete, but if you’re unfamiliar with the concepts I think you might find it helpful:

Every program in Windows runs in a “process”. A process may display zero or more windows. You can see a list of the running processes by starting Task Manager and clicking on the “Processes” tab. If you click on the “Applications” tab, then right-click on one of the items listed there and choose “Go To Process”, it will show you which process that “application” is running in.
A “token” identifies a user, the Windows groups that user belongs to, and a set of system privileges, such as the ability to change the computer’s clock. When a user logs on (including with RunAs), the system creates a new token for the user, determining at that time what groups the user is a member of and which privileges the user should have. Once a token is created, one can’t add or (generally) remove any groups or privileges from the token.
Every process always has a token. In almost all cases, its token is a copy of that of its parent process (the process which started it).
Whenever a process tries to access a securable object (such as a file or a registry key), an access check is performed by comparing the process’ token to the “access control list” (ACL) of the object. The result of that access check determines whether the requested access is allowed or denied.

Addressing the network resource access issue

If you prefer to use the local administrator account, but need to use your domain account for network access, there are a couple of other approaches:

From your local admin Command Prompt, you can simply NET USE to authenticate to the specific resources you need to access. You need to authenticate separately this way for every remote computer you wish to access. NET USE is logon-session specific, so any connections established in one Command Prompt affect only processes started within the same RunAs session.

Another commonly used approach is to use RunAs with /netonly. The /netonly option starts the target process in a new logon session with the current token, but with the account you specify for all SSPI-based network access. You can kind of think of it as implicitly calling NET USE for every remote computer you try to access. Here’s how you might use it (ignore word-wrapping – this should be one line):

runas /u:%COMPUTERNAME%\Administrator "runas /netonly /u:%USERDOMAIN%\%USERNAME% cmd.exe"

(If you have renamed your builtin Administrator account, change “Administrator” to the new name.)

As with MakeMeAdmin, RunAs is used twice and you’ll get prompted for two passwords: that of the local Administrator, and that of your current account. What you’ll get is a Command Prompt running under the local Administrator account, using the local Administrator profile, but authenticating on the network with your domain account. (Confusingly, the title bar will say that you’re running as the domain user rather than as the local administrator.)

Tradeoffs of MakeMeAdmin vs. using the builtin Administrator account

Personally, I prefer using MakeMeAdmin. The main issues I have run into with MakeMeAdmin are 1) telling privileged from unprivileged apps, 2) Explorer issues, and 3) issues with objects created while running with elevated privilege.

1. Telling privileged from unprivileged apps

In two previous posts, I echoed Keith Brown's suggestion to change the admin’s background bitmap for Explorer and Internet Explorer so that you could tell your admin windows from your non-admin ones. But with MakeMeAdmin, you can have different IE and Explorer windows all running as “you”, but some with administrator privileges and others not. The background bitmap settings are associated with user accounts, not with privilege levels, so they don’t help you in this scenario.

I promised to provide a solution. It’s called PrivBar and it adds a toolbar to your IE and Explorer windows that lets you know at a glance at what privilege level that particular instance is running. At this point I will have to postpone it to a future post – this post is already very long and very overdue! I will try to post it really soon! [July 24, 2004, 11:40pm Eastern US time: It's up! https://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx ]

2. Explorer issues

If you want to start explorer.exe from a MakeMeAdmin context, you need to set the Separate Process flag for your normal account, and you must start explorer.exe with /root, in the command line unless there are no other Explorer windows running. For more information, read my post about using RunAs with Explorer, paying close attention to “More info about Explorer’s Separate Process flag” and the references to explorer.exe command line options.

3. Objects created while running with elevated privilege

Normally, when a user creates a securable object, such as a file, folder, or registry key, that user becomes the “owner” of the object and by default is granted Full Control over it. Prior to Windows XP, if the user was a member of the Administrators group, that group, rather than the user, would get ownership and full control. The user still had ownership and control over the object by being a member of Administrators. But if you created objects while a member of Administrators and then were removed from the group, your subsequent use of those objects could be limited or completely denied. Windows XP introduced a configurable option whether ownership and control of an object created by an administrator would be granted to the specific user or to the Administrators group. The default on XP is to grant this to the object creator; the default on Windows Server 2003 is to grant it to the Administrators group.

I’m not on the Windows team and was not party to the thinking that went into exposing this option and establishing its defaults. My guess is that it was that on the server, all admins are equal. If I’m an admin on a server and I create an object and am later reassigned or leave the company, any other admin should be able to access and manage the objects I created without any trouble. A workstation, however, is more likely to be a single-user device. Objects I create on my computer, such as documents, should remain under my control even if I change myself from a Computer Administrator to a Limited User (to use XP Home Edition’s terminology). I think this makes a lot of sense.

However, MakeMeAdmin changes things. If I use MakeMeAdmin to install programs, my normal account will be granted ownership and full control over the installation folder, the program executable files, and any registry keys the installation program creates. Those access rights will remain even when I am no longer running with administrator privileges. That’s not what I want at all. I want to be able to run the app, create and modify my own data files, but not to retain full control over the program files after I have installed it. For this reason, I changed the “default owner” setting on my computer to “Administrators group”.

To view or change this setting, open “Local Security Policy” in Administrative Tools, or run secpol.msc. You need to be an admin to use this tool. In the left pane, browse to Security Settings \ Local Policies \ Security Options. The policy name is “System objects: Default owner for objects created by members of the Administrators group”. The allowable settings are “Administrators group” or “Object creator”.

Coming Real Soon

PrivBar
Running with a restricted token (what does “protect my computer and data from unauthorized program activity” actually mean)
???

Comments

Anonymous
July 23, 2004
Thank you for the excellent informative posting
Anonymous
July 23, 2004
Thanks Aaron, I've been eagerly awaiting this post... Looking forward to the privbar
Anonymous
July 25, 2004
On a German Windows one has to change in the batch file the group name from Administrators to Administratoren ;-) It works perfect now!
Anonymous
July 25, 2004
Very informative post for me. Thanks for the lesson, now maybe I will try to run as non-admin.
Anonymous
July 25, 2004
Daniel, thanks for the note. I should have mentioned that the script can be customized, for localization or any other reason. Thanks for pointing it out.
Anonymous
July 26, 2004
I had to make a change or five to get the batch file to handle user names with embedded spaces. Wasn't exactly a trival change, either, given the existence double quotes already in the cmd file. (And, no, just using " didn't help, either). Once I've got it cleaned-up, I'll post here.
Anonymous
July 26, 2004
ToddM - thanks, good point. Does this work for you? (I've tried it and it seems to work for me...) Mostly just replace instances of %1 with "%". I've only tried this with the current username with an embedded space - didn't try domain/workgroup name with embedded space, or a renamed admin account with an embedded space.

@echo off
setlocal
set Admin=%COMPUTERNAME%Administrator
set Group=Administrators
set Prog="cmd.exe /k Title *** % as Admin *** && cd c: && color 4F"
set User=%USERDOMAIN%%USERNAME%

if "%1"=="" (
runas /u:%Admin% "%~s0 %User%"
if ERRORLEVEL 1 echo. && pause
) else (
echo Adding user %* to group %Group%...
net localgroup %Group% "%" /ADD
if ERRORLEVEL 1 echo. && pause
echo.
echo Starting program in new logon session...
runas /u:"%" %Prog%
if ERRORLEVEL 1 echo. && pause
echo.
echo Removing user %* from group %Group%...
net localgroup %Group% "%*" /DELETE
if ERRORLEVEL 1 echo. && pause
)
endlocal
Anonymous
July 29, 2004
"iexplore.exe -new" will do what you want without setting any special settings.
Anonymous
July 29, 2004
Ari - what does -new do for iexplore.exe? Wasn't that for starting IE 4.x in a new process? Starting iexplore.exe always results in a separate process now.
Anonymous
August 02, 2004
We use a similar process here for our Zenworks Deployments. In some instances the Zenworks tool will not properly elevate a user which then requires us to add a user to the admin group, then remove them. I have devloped a tool called Authenti-key for NT that allows you elevate installs as an administrator. IT works on 95 - XP. You can create an elevated CMD window and perform any admin task from there. Similar to SU and can be used in scripting.

Here is a link.

http://downloads-zdnet.com.com/Authenti-Key-for-NT-AKEY-/3000-2094-10153448.html?tag=lst-0-1

Great work on the script. !!
Anonymous
August 10, 2004
Use MakeMeAdmin.cmd when installign software
Anonymous
August 10, 2004
Use MakeMeAdmin.cmd when installign software
Anonymous
August 11, 2004
This is an interesting script. It has some room for error but I have an idea about how to avoid that. Some fellow who seems to work for Microsoft in some capacity has written a batch script called MacMeAdmin that...
Anonymous
August 11, 2004
thanks a lot for this superb script. I was looking for a solution that addresses the issues with "RunAs" for a long time.
Anonymous
August 11, 2004
Great utility. The one problem we ran into is that we have the "installation" file on a netware server, and can't point to the network drive mapping.
Anonymous
August 11, 2004
Carolh - Correct. SMB sessions (e.g., NET USE connections and drive mappings) belong to a logon session. Since MakeMeAdmin runs in a separate logon session from your main shell, it doesn't automatically get the shell session's drive mappings. (I assume the same or similar is true with IPX/SPX stuff.) You can create a new connection within the MakeMeAdmin session using NET USE or the NetWare equivalent.
Anonymous
August 11, 2004
The comment has been removed
Anonymous
August 11, 2004
"Common scenario: you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.) . When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account. You quickly realize" that this is a pain in the posterior! Here's how to go about it much easier and without the limitations....
Anonymous
August 11, 2004
Toby - I've never had my code called "cute" before. Thanks?

The term you are looking for in the 2nd paragraph is "desktop" - as in, the Win32 construct that is defined within a Window Station. (See http://msdn.microsoft.com/library/en-us/dllproc/base/desktops.asp) . Any program (more accurately, any thread) running on a particular desktop can access any window running on that desktop, send it messages, simulating keystrokes and mouse events, etc. When you use RunAs, you're creating a new program running in a different security context, but on the same desktop, so the risk you identified exists. With Fast User Switching, you are switching to a different desktop and are not vulnerable to those kinds of attacks. I pointed to Fast User Switching in an earlier post called "The easiest way to run as non-admin"; it is IMO also the most secure way to run as non-admin for the reason you point out. However, FUS isn't available for domain-joined machines.
Anonymous
August 11, 2004
The comment has been removed
Anonymous
August 11, 2004
I looked at my Local Security Policy on my XP machine and "System objects: Default owner..." is set to "ObjectCreator". However when I check the ownership of files, e.g. Adobe Acrobat Reader and others under "Program Files" the owner is my local machine's administrators group and not my account (which currently is part of the administrators group).

My machine isn't part of a domain.
Anonymous
August 11, 2004
Rage on Omnipotent » Make me admin
Anonymous
August 12, 2004
The comment has been removed
Anonymous
August 12, 2004
The comment has been removed
Anonymous
August 12, 2004
Marc Poljak: as far as I know, RUNAS.EXE does not let you enter passwords through stdin. This is probably to discourage the practice of storing passwords in plain text files.
Anonymous
August 12, 2004
The comment has been removed
Anonymous
August 13, 2004
The comment has been removed
Anonymous
August 13, 2004
Sean McL, re RDP back to localhost: I'm referring to the fact that your RDP client app (typically mstsc.exe) is on the same desktop as your non-privileged logon. Unprivileged apps could (at least theoretically, I haven't tried it) send messages to the mstsc window to direct key and mouse events to the remote desktop.

I'll tackle your next post after I get some coffee :-)
Anonymous
August 14, 2004
Aaron Margosis: I love this blog, thank you so much for the time and effort!

Aaron && Sean: Considering the whole same desktop/message issue (how hard would it be for malware to find a process with admin rights? furthermore why isnt there any security for messaging), it seems that Sean's solution, Scary User Switching, as its now officially known :D, seems to be the best one. I'm not sure what the 'previously running apps' are either. They only thing they could be are things started by user logon scripts. According to this <http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/regentry/12330.asp> the only things userinit does are run logon scripts, establish network connections, and then start explorer. so if your special MakeMeAdmin account isnt running anything with loginscripts, the first thing to run should be explorer.

One thing I think might be better. Instead of making a custom userinit application (which would need to call userinit anyway to reestablish network connections), couldn't we set user specific paths to explorer, by changing Shell in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingsystem.iniboot from "SYS:MicrosoftWindows NTCurrentVersionWinlogon" to "USR:SoftwareMicrosoftWindows NTCurrentVersionWinlogon". Then create the Shell entry in that key for each user and point set them to explorer.exe. Except for your special MakeMeAdmin account, set it to the properly modified MakeMeAdmin.cmd.

Marc Poljak: storing the admin password in the file would defeat the purpose. i don't see any prob with using the savecred option to eleminate having to type in the password for the current user account though. it would be saved in the admin's credentials folder.
Anonymous
August 14, 2004
Will the one issue with your approach is that any processes launched by the login scripts will now be running with the Admin token and not the regular user account in the admin group. Also the network connections will be established with the admin account.

So you'll have a mix of accounts which is what I was trying to avoid with the custom userinit approach.
Anonymous
August 14, 2004
Will Brown: Yes, I know that storing a password in a plain text file is a very bad idea, but there are tools with which you can transform a BAT file into a EXE and then obfuscate the code in order to prevent the retrieval of the password via a hex editor. With a script like MakeMeAdmin you can launch a new command shell with elevated privileges or you can launch all kind of things through a logon script. This is useful if you do not have Group Policies and Active Directory at your disposal or an installed "agent" on the client, which runs under the local system account.

But, with the /SAVECRED option I have the result which I was looking for (well, not quite what I wished, but it works and that's important!). So, thank you for getting me on the right track.

Cheers,

Marc Poljak
Anonymous
August 16, 2004
I experienced a similar problem with right delegation and I developed a little utility called MyRunAs that allow you to run a program impersonating another user (like Windows RunAs) but it generate an executable where there are the user credentials and the program name crypted.
Take a look on http://spazioinwind.libero.it/vittoriop/myprojects.html
Regards

Vittorio
Anonymous
August 16, 2004
Sean McLeod - The first time I read your post about what I called "Scary User Switching" I misunderstood exactly what you were doing. I guess it might work - have you tried it?

Note that once you apply SAVECRED, the creds can be used with other apps as well, not just the one you specified.
Anonymous
August 16, 2004
Aaron, yes what I was proposing was really just a combination of your suggestions with hopefully the best benefits of both, i.e. using a separate admin account with FUS and using MakeMeAdmin to create a logon token that is a combination of your regular (LUA) in the admin group (call this your 'MakeMeAdmin' account, although it's not really a separate distinct user account).

So you end up with a separate desktop session and all the added security benefits that brings but at the same time instead of running processes in this desktop as the administrator account and the potential hassles that brings with network credentials, installing software etc. you run as your special 'MakeMeAdmin' account.

I'll test it out on a test machine in the next couple of days and let you know how it works, just a bit busy with some 'real' work ;-)
Anonymous
August 18, 2004
I was wondering what it would take make this into a SHell extension to create a kind of SUPER_Runas feature. Would be awesome to be able to right-click on an app/shortcut and run as any user elevated to Admin or poweruser etc.
Anonymous
August 18, 2004
I was wondering what it would take make this into a SHell extension to create a kind of SUPER_Runas feature. Would be awesome to be able to right-click on an app/shortcut and run as any user elevated to Admin or poweruser etc.
Anonymous
September 02, 2004
Will's Blog - Adventures of an IT Grad » Running as Limited User and Having temporary admin priveledges
Anonymous
September 03, 2004
Nerhood Weblog - Digital Diary - Family, Work, Technology, Books and Media » MakeMeAdmin – temporary admin for your Limited User account
Anonymous
September 05, 2004
reuteras.com » Bra verktyg f?r Windows
Anonymous
September 17, 2004
The comment has been removed
Anonymous
October 25, 2004
Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions...
Anonymous
February 15, 2005
chris.webdevlab.com » The Non-Admin Blog
Anonymous
March 11, 2005
MakeMeAdmin script updates, and a security setting you should change
Anonymous
April 18, 2005
Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.
Anonymous
May 30, 2005
Installing .inf files if you are living the non-admin lifestyle
Anonymous
June 05, 2005
I learn something usefull today!
Anonymous
June 10, 2005
Get your friends and family, all those folks that come to you for computer help once their machines have...
Anonymous
June 15, 2005
The comment has been removed
Anonymous
July 05, 2005
Ok, ik heb vandaag wat sessies gevolgd over de security improvements in het Longhorn timeframe en hoe...
Anonymous
July 10, 2005
Very handy tool for those of us that rightly develop under the 'least privileged' user context.

MakeMeAdmin...
Anonymous
July 10, 2005
Very handy tool for those of us that rightly develop under the 'least privileged' user context.

MakeMeAdmin...
Anonymous
July 29, 2005
The comment has been removed
Anonymous
August 25, 2005
Anyone know how to gain Administrative Privilages with a Limited Account if you don't know the password?
Anonymous
November 05, 2005
How can you get around typing in the local administrator password?
Anonymous
November 15, 2005
The comment has been removed
Anonymous
January 20, 2006
This little utility inspired me to write a service based app that allows you to launch any program as yourself with an admin token. If anyone want's to try it out and comment, you can grab it here....

http://home.toadlife.net/blog/weblog.pl?trackback=1

Thanks Aaron. :)
Anonymous
January 30, 2006
it does'nt work with me...it's asking for admin password which i don't know.
Anonymous
January 31, 2006
Archos - that is correct. You need to have the admin password in order to do this. Otherwise it would be an unauthorized elevation of privilege!
Anonymous
February 01, 2006
Not sure what I'm doing wrong, but running this gives me an error after entering the first local admin password:

Enter the password for ADMINCOMPAdministrator:
Attempting to start C:DOCUME~1MSMITH~1.DOMDesktopMakeMeAdmin.cmdkeMeAdmin.cm
d DOMAINmsmith as user "ADMINCOMPAdministrator" ...
RUNAS ERROR: Unable to run - C:DOCUME~1MSMITH~1.DOMDesktopMakeMeAdmin.cmdkeM
eAdmin.cmd DOMmsmith
87: The parameter is incorrect.
Anonymous
February 01, 2006
Well running it from the root of the c drive works fine. Seems as though it just refuses to run properly from the desktop.
Anonymous
February 06, 2006
I cannot use your batch-files, nor a simple runas.exe.
My administrator user name and password are in Hebrew. Moreover, the Administrator user name consists of more than one word. All of this is fine for me, it make me feel more secure and it works with "Shift-right-click-run-as".
But: runas does not accepts it. (I'm using Windows XP Home Ed. SP2).
Anyone has a suggestion ?

Thanks
Anonymous
February 24, 2006
Try using quoatation marks for domain accounts, to avoid interpreting "" as directory separator in batch scripts
Anonymous
February 24, 2006
Vatroslav Mihalj - I'm not sure what problem you're trying to solve. The script should already have quotes in the correct places - see where "%*" is used in the second part of the script.
Anonymous
March 03, 2006
I have a laptop with only one user.
The past user, removed ALL users, except for
the one guy getting the laptop.
He is a Limited user, and we need to make
him a Administrator and add a USB printer.
Do you think this MakeMeAdmin will help?
Thanks
Mike Logsdon
mlogsdon@senate.state.mo.us
Anonymous
March 03, 2006
Mike Logsdon - Rather than make the new user an admin, log on with the Admin account and install the printer from there. I assume the previous user did not delete the built-in Admin account. If there truly are no admin accounts left on the computer, reformat and reinstall Windows. Note that in order to use MakeMeAdmin, you need to have the password for an admin account, and neither the Admin nor the User account can be blank-password accounts.
Anonymous
March 07, 2006
Have written a little tool based on Arons idea.

Comments please here or to fli4l@online-barthel.de

http://www.online-barthel.de/Download/makemeadmin/MakeMeAdmin.exe
Anonymous
March 13, 2006
Aaron, regarding Mike Logsdon's concerns, we have the same need. I thought when you add a local printer, it only installs for that user. If this is true, when you log on to the machine as the local admin, install the printer, log off and log on as the original user, then the local printer would not be listed.

Am I correct in thinking that the local printer is user specific?

Thanks!
Aaron
Anonymous
March 24, 2006
Aaron H.--

"Local Printers"--those that you physically connect to your computer, as well as those for which you add a port (e.g. Unix Print Services/IP Printing)--exist for all users. These must be installed by an administrator.

"Network Printers," for instance those shared over a Domain/SMB can be installed by anyone. Those printers exist only for the user who installs it.

Hope this helps...
Anonymous
March 25, 2006
Why couldn't this be used to make an attack on Windows from a Limited User Account especialy for users with blank admin passwords
Anonymous
March 26, 2006
The comment has been removed
Anonymous
March 27, 2006
A systematic approach for working around LUA bugs that avoids unnecessary exposure - "the rest of the story"
Anonymous
April 06, 2006
Yinon Ehrlich, sorry for the delay in responding. Two things:
1. The version of MMA that is currently posted supports usernames containing spaces; but
2. This is what I've been told about console apps and right-to-left languages like Hebrew:
"Console apps don't support complex script languages, and this is by design. For all console apps on such languages we fall back to English. Now since the administrator user name and password are both in Hebrew the option to use Runas is not valid."
Anonymous
April 10, 2006
PingBack from http://skmullen.wordpress.com/2006/04/10/makemeadmin/
Anonymous
April 27, 2006
The comment has been removed
Anonymous
April 28, 2006
dhananjay singh - There are two sides to the "non-admin" issue: users who are trusted to know when/how to elevate and do so judiciously, and users who are not trusted to make those decisions. MakeMeAdmin definitely falls into the first group. On my Table of Contents page I have separated out my posts based on that distinction: http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx
Anonymous
April 28, 2006
PingBack from http://n3wjack.net/index.php/2006/03/10/running-windows-as-a-non-admin/
Anonymous
May 03, 2006
Tool to pass crypt admin password: http://robotronic.de/runasspc/

Bye
Anonymous
May 03, 2006
cibgiu - see caveats about that approach here:
http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx
Anonymous
May 11, 2006
I can not get this to work. I get the bright dos window saying Admin but when I go to install it says Im not a admin.

Please help
Anonymous
May 11, 2006
Sidney - what are you trying to install? Note that not everything started from an elevated process will remain elevated: Look for the section called "When RunAs won't work" in this post:
http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx
Anonymous
May 22, 2006
I try to be a good citizen, I really try. I tried to take the plunge today to create a non-admin user...
Anonymous
May 24, 2006
Please e-mail me back at dulitzki322@gmail.com, I'm a limited account and I don't have access to the admin's account, is there any way, maybe through cmd, to become an admin, or at least to make another admin account from a limited account. If not is there any way to find out an admin's password?
Anonymous
June 16, 2006
MSBee requires administrative rights to be installed and same thing is true for .Net Framework 1.1 SDK...
Anonymous
June 19, 2006
I'd heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database...
Anonymous
June 19, 2006
A new project has been just launched recently called sudoWn. It is based on the original MakeMeAdmin way but it is developed further for desktop PC users. You can find the project page @ http://sudown.mine.nu
Anonymous
June 24, 2006
PingBack from http://reparsed.net/2006/06/24/secure-surfing-six-months-later/
Anonymous
June 29, 2006
I had to change the system on my computer but did not have access to an admin account thanks to your help i could change the setting (that only could be accessed by an admin) and the computer doesn't stuff up anymore

thanks denno
Anonymous
July 06, 2006
PingBack from http://jonc.wordpress.com/2006/07/06/change-group-membership-token-for-user/
Anonymous
August 05, 2006
how do i make my limited account to a admin account without a admin password... You can't. If that were possible there would be no reason to have limited accounts. -- Aaron
Anonymous
August 14, 2006
Is there a way to gain the orginal password? after the admin password change. No. -- Aaron
Anonymous
August 17, 2006
Hmmm. I mistakenly tested MakeMeAdmin while already logged into my Admin account. Now my Admin account has mysteriously lost its Administrator privileges (it is now showing up as a Limited Account). Is there any way to recover from this situation?

I tried a System Restore from the "Last known good configuration", but I had already rebooted before I noticed the problem, so the last "Good" configuration was no better. And my 'Get Out Of Jail Free' card (using System Restore to select a restore point that predates the problem) can't be used because System Restore needs to run from an account with Administrator privileges. Catch 22?

This is on a system running XP Pro SP1. I'm half way through installing SP2 in a separate partition, so it's not a huge problem if this installation is beyond repair. But it does make me wary of trying MakeMeAdmin again.

-Les. That problem has been noted before. Some (at least partial) solutions are discussed in the comments to the follow-up post, particularly here and here. One can only do so much with a .cmd script. Maybe one of these days I'll make a PowerShell version of the script. -- Aaron
Anonymous
August 25, 2006
PingBack from http://jeffhandley.wordpress.com/2006/08/21/wcf-troubles/
Anonymous
August 30, 2006
MakeMeAdmin And Console MatchMaker
Anonymous
September 11, 2006
The comment has been removed
Anonymous
September 17, 2006
How can I use it to uninstall programs or application?
Can someone help me with this.... tnx! From a MakeMeAdmin command prompt, you can get to the Add/Remove Programs applet by running "appwiz.cpl". -- Aaron
Anonymous
September 19, 2006
I&#39;d heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database
Anonymous
September 22, 2006
I am an admin and I need to find out a limited user's password without changing it or them knowing. How? Sorry, there is no interface to support that. Why do you need to do that? -- Aaron
Anonymous
September 26, 2006
same as secondary login......
end task user's explorer.exe...and then use
runas /user:administrator explorer.exe
and there you will login as administrator...
do the admin tasks and logoff from administrator .......
now end task and start explorer.exe for user again...and you see that opened applications also wont get affected I've posted a better solution here that doesn't require killing your existing explorer.exe instances. And, BTW, the idea you proposed doesn't address the scenarios that MakeMeAdmin (the subject of this post) was designed for. -- Aaron
Anonymous
September 28, 2006
Problematiken rörande lokala administratörer, man stöter allt för ofta på administratöerer som löser...
Anonymous
October 10, 2006
Hi , this is a useful tool. I work in a large construccion company, and we use (in the headquarters) VNC for acessing computers located outside in numerous construccion sites. On these sites , the Pc's are in workgroups with acess to the domain network. What happens sometimes : people go from site to site , and have to change workgroup. Sometimes when you do this , you stop having access to VNC because the windows xp firewall blocks it . Is there a way to run MakeMeAdmin with the "netsh firewall set AllowedProgram" over ip or computer name? If not i'll just have to go there... Thanks. If the remote system is blocking remote administration, then you're not going to be able to change the firewall settings remotely. -- Aaron
Anonymous
October 16, 2006
Make one where you dont need ther administrators password because i stuffed up my computer by changing the admins password too fast =( You're asking for a hacker tool. MakeMeAdmin is not a hacker tool, and I don't make hacker tools. :-) -- Aaron
Anonymous
October 29, 2006
Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app.
Anonymous
October 29, 2006
Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app. fintek@comcast.net
Anonymous
November 21, 2006
Can you send it a batch file to run in the final window. I have a bat file containing the net use to map a network drive. I would like this to run this in the final cmd window so that a drive is mapped in the admin session. Is this possible? Sure -- just add the batch file you want to the Prog variable. The "/k" option means "run the following command when cmd.exe starts, and then continue running." (The similar /c option runs the command you specify and then exits the shell.) The && strings multiple commands together. HTH -- Aaron
Anonymous
November 28, 2006
The comment has been removed
Anonymous
December 15, 2006
We must logon now with a CAC card now. Since then, I have been unable to use the MakeMeAdmin. I can logon on the first part as Administrator and it successfully adds me to the administrator group. It then asks for my limited account password and this is where it fails. I get the following error in the DOS window:

Starting program in new logon session... Enter the password for MYDOMAINmyuserid: Attempting to start cmd.exe /k Title *** MYDOMAINmyuserid as Admin *** as user "MYDOMAINmyuserid" ... RUNAS ERROR: Unable to run - cmd.exe /k Title *** MYDOMAINmyuserid as Admin *** 1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced. Press any key to continue . . .

Is there anyway to fix this. David, does it work if you use MakeMeAdminSC, which comes in the same .zip download? It uses "runas /smartcard" to do the "re-login" using smartcard credentials instead of a password. From the MakeMeAdmin followup post: MakeMeAdminSC works just like MakeMeAdmin but uses smart card authentication for the current user instead of password authentication, via the runas.exe /smartcard option. Insert your smart card before running MakeMeAdminSC; it will prompt you for the admin password, then for your smart card PIN. (In order to work, the smart card needs to be associated with the account you’re currently logged in under.) -- Aaron

Anonymous
December 18, 2006
It adds me to the Admin group but it also fails in the second logon. Here is the results:

Adding user MYDOMAINmyuserid to group Administrators... The command completed successfully. Starting program in new logon session... Reading smart cards..... The following errors occurred reading the smart cards on the system: No card on reader 2 Using the card in reader 1. Enter the PIN: RUNAS ERROR: Unable to acquire user password Press any key to continue . . .

David, I suspect that since CAC cards are not standard, off-the-shelf smartcards, they may not be compatible with the expectations of Windows' built-in credential handling. Feel free to contact me via the email link above to dig into this further. -- Aaron

Anonymous
January 05, 2007
PingBack from http://keycruncher.com/blog/2005/08/23/makemeadmin-windows-xp-admin-escalation-tool/
Anonymous
January 15, 2007
can this tool be used to make a logoff script reboot or shutdown a windows xp machine? it just seems to be impossible thanks Sorry, I just don't understand what you're asking here. gpedit.msc will let you specify logon/logoff scripts. HTH -- Aaron
Anonymous
January 26, 2007
The comment has been removed
Anonymous
January 27, 2007
What is the temp admin password? How do you change it? www.greenlush.com
Anonymous
January 28, 2007
For users who'd like to automate typing in the admin password, a better alternative to RunAs would be using Mark Russinovich's PsExec.exe tool (part of the PsTools suite). PsExec allows you to specify the username and password in the commandline.
Anonymous
January 29, 2007
The comment has been removed
Anonymous
February 02, 2007
If its an issue, then you could make a program to launch psexec. That way you wouldn't be storing it in plaintext. To make it somewhat more secure, you could perhaps encrypt the password and obfuscate the exe.
Anonymous
February 02, 2007
The comment has been removed
Anonymous
February 22, 2007
The comment has been removed
Anonymous
February 23, 2007
The comment has been removed
Anonymous
February 24, 2007
The comment has been removed
Anonymous
February 28, 2007
I've been using MakeMeAdmin for quite a while, but on a recent install of XP on a laptop, when running Windows Explorer with elevated privileges, the view does not refresh after, for example, deleting or moving files. This happens with other dynamic views, such as Network Connections (if I turn off my wireless network card, it still shows it in the view unless I hit F5). This only happens when I use MakeMeAdmin to elevate privileges, under normal privileges (the user account is only in the Users group) the views refresh, and similarly if I log into the Administrator account, the views behave accordingly. I promise I've tried hitting Google up as many different ways as I could think of, but I'm at a loss, and out of five computers I run MakeMeAdmin on, this only happens on one. Any help would be most appreciated, thanks.
Anonymous
March 01, 2007
I'm having the same problem. The window with elevated privileges does not refresh, I have to hit F5. Not sure why. BTW, this also happens when I use WinSUDO (another great tool). Iggs/Vincent/and others: Hmm, I thought I had posted about this at some point, but I guess I haven't. The problem is that the way Explorer does refreshes is that there is one central location, in one Explorer process, that performs the actual change monitoring. () When a change event occurs, that process notifies the Explorer windows that registered interest. The problem is that the transferring of the information requires cross-process access, which gets blocked when the desktop Explorer tries to open the admin Explorer process. () Obvious question is "why was it done this way?" The answer is (like many other answers) that Windows Explorer was architected for an OS that needed to be able to run on systems with 4MB of RAM. Since Explorer was never designed to support multiple security contexts (and still isn't even on Windows Vista), there has not been a need to change this implementation. -- Aaron
Anonymous
March 01, 2007
The comment has been removed
Anonymous
March 01, 2007
The comment has been removed
Anonymous
March 07, 2007
Hello. I'm very very bad at using PCs. I need to get admin so I can use it to download some things but I'm not quite sure how to use MakeMeAdmin. Do I need to know the admin password (Which i dont know)? Maybe you can give a newbie step by step for a not very PC tunned person. Thanks in advance. Yes, you need to have the password for an admin account to use MakeMeAdmin. -- Aaron
Anonymous
March 07, 2007
The comment has been removed
Anonymous
March 07, 2007
Thats rubbish then. Is there anyway of getting temporary admin rites to download/install something? I really need to get something installed and can't. Thanks for the replies dude. Rubbish? How? Whose computer are you using, anyway? If you need something installed, get a legitimate admin of the system to help you out. -- Aaron
Anonymous
March 07, 2007
Its my family PC. Lets just say my dad is the kind of person who thinks that doing the simplist of things will slow down the PC and make it rubbish. My dad is the admin so I dont think there is much of getting what I want done. Add me on msn if you can: greenink.chris@hotmail.com Its not rubbish by the way. Just not as good as I hoped :)
Anonymous
March 17, 2007
The comment has been removed
Anonymous
March 19, 2007
i prompt with this problem while running "MakeMeAdmin"..(my OS:XP prof with SP2) Enter the password for MyCompNameAdministrator:_ Attempting to start D:MakeMeAdminMAKEME.CMD MyCompNamemyuseraccount 1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced. Press any key to continue... MENDRES: If the local admin account has a blank password, you can't use RunAs with that account - blank-pwd accounts can be used only for interactive logon, not for network logon or runas. So in order to use MakeMeAdmin, neither the Admin nor the User account can be blank-password accounts. HTH -- Aaron
Anonymous
April 10, 2007
I've been running into some problems with this program. Well, I did download it, and know a little about cmd myself, but every time I run the program, it asks me for a password, which of course I don't know... Is there something I overlooked to surpass this problem? Please help.
Anonymous
April 10, 2007
Sorry for the double post, but here is what it leaves me with Attempting to start C:Docume~ ... RunAs Error: - Unable to run C:Docume~... 1326: logon failure: unknown user name or bad password Help? Matt: Sorry, but there's insufficient information here. Can you provide more detail? -- Aaron
Anonymous
April 16, 2007
PingBack from http://blog.donnael.com/?p=690
Anonymous
April 17, 2007
If i don't have the admin pass? It seems to does not work right? Any comment?
Anonymous
April 17, 2007
If i don't have the admin pass and using a limited account? It seems to does not work right? Any comment?
Anonymous
April 17, 2007
Aaron: Why don't you put a big red heading on the top of this page saying "This is NOT a hacking program- you NEED to know your Admin password for this program to work!" Would save you the trouble of having to reply to every newbie :) deXter: Great idea. Or I could just ignore them... :-) -- Aaron
Anonymous
April 17, 2007
lol...tehre was no need to say all these things, you could say two things.first, this is not hacking program, second (more logic, i don't know how... any way tnx for ur comments
Anonymous
May 07, 2007
The comment has been removed
Anonymous
May 08, 2007
The comment has been removed
Anonymous
May 30, 2007
Aaron, I apologize in advance if I'm asking this question in the wrong thread. I work for the U.S. government and we use two-factor authentication (Gemplus smartcards) in an Active Directory domain. My question (2 parts) is this; is it possible to use a runas command which authenticates through the smartcard? The main reason for this is to load user specific applications (so we have to be in their user environment). If not runas, would "net use" be capable? Thanks for any advice you can give me. Scott: First: try RunAs.exe /smartcard Next: Take a look at the MakeMeAdminSC version of MakeMeAdmin, referenced in the follow-up post to this one: http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx HTH -- Aaron
Anonymous
May 30, 2007
Aaron, Thank you for your help, and I apologize for not spending more time researching before taking up your time. Respectfully, Scott
Anonymous
June 11, 2007
The comment has been removed
Anonymous
June 12, 2007
PingBack from http://www.mcseboard.de/windows-forum-ms-backoffice-31/beschneide-administrator-115192.html#post711657
Anonymous
June 20, 2007
Hi, Please help me out: I just want to have the passwords as arguments in makemeadmin.cmd. Thanks. Vivian Vivian: MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files. -- Aaron
Anonymous
June 21, 2007
its doesn't work for me it didn't give the second command shell
Anonymous
June 28, 2007
The comment has been removed
Anonymous
June 28, 2007
PingBack from http://www.rachner.us/blog/?p=6
Anonymous
July 10, 2007
Viruses and Spyware are annoying to deal with that’s why the following is a bit of a guide to make sure
Anonymous
August 16, 2007
Aaron, Is there a way to actually input the admin password, I will be using this on over 2000 laptops and each person assigned to one of these laptops I don't want to give them the admin password. So I want to see if the makemeadmin batch can be modified. Carlos [Aaron Margosis] MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files. That's a lot of systems to manage -- are they joined to a domain? What kinds of tasks are you doing that require MakeMeAdmin? There is likely a more scalable approach.
Anonymous
August 18, 2007
PingBack from http://tartley.com/?p=202
Anonymous
August 21, 2007
Thanks for this handy script, Aaron. I had to make a small edit to get it to work for me: my Administrator doesn't have access to my limited user folders so it doesn't work to have the script call itself. Instead, I told the script to put a copy of itself in the Shared Documents folder and run from there. Here's the edit:

runas /u:%Admin% "%~s0 %User%"

if not exist "%AllUsersProfile%Documents%~nx0" copy "%~0" "%AllUsersProfile%Documents"
runas /u:%Admin% ""%AllUsersProfile%Documents%~nx0" %User%" Cheers, Rik [Aaron Margosis] MakeMeAdmin.cmd needs to be installed in a folder in which all users have at least Read permissions.

Anonymous
September 18, 2007
PingBack from http://martinz.wordpress.com/2007/09/12/restricted-user-account/
Anonymous
September 25, 2007
I am having the wirst luck! I need to have a script that reboots both Windows 2000 and Windows XP machines. I put the shutdown.exe file in a remote directory everyone has access to and point a bat file I made to run it from there, however, it days they do not have the correct privileges to run it. I even tried replacing the shutdown.exe method with a vbs script and it gives me the same privileges error! I'm stuck! Don't know what to do! djONE. [Aaron Margosis] See this post.
Anonymous
September 25, 2007
The comment has been removed
Anonymous
September 25, 2007
The comment has been removed
Anonymous
October 16, 2007
PingBack from http://forums.x10hosting.com/tutorials/33416-how-make-your-computer-safer.html#post203262
Anonymous
October 16, 2007
PingBack from http://xtremenews.uni.cc/?p=37
Anonymous
October 24, 2007
Hi If I dont have admin privilege in the machine , what can I do...?Example, in our company we dont have admin privilege for a normal user. Also, If I have admin privilege, and want to use it very sparingly ( i mean only for the actions which demands admin power) and all other times be a normal user , what should I do? If a user in the domain is elevated to admin, then how can that user run or develop applications as a non-admin .This is very important requirement to ensure the running of our developing applications will run with a local user of any machine..
Anonymous
October 29, 2007
this is stupid it doesn't work [Aaron Margosis] ???
Anonymous
December 02, 2007
The comment has been removed
Anonymous
December 11, 2007
Is there a way to actually input the admin password, I will be using this on over 2000 laptops and each person assigned to one of these laptops I don't want to give them the admin password. So I want to see if the makemeadmin batch can be modified [Aaron Margosis] MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files. That said, RunAs has a /savecred option (discussed in a different context in this post). It doesn't expose the password directly, but it is possible for the password to be exposed. Using /savecred also allows the user to run other things with the same account without having to enter a password. And finally, once you allow something to run as admin, it is impossible to ensure that the admin rights will be used only for the tasks you think you're authorizing.
Anonymous
December 14, 2007
I am trying to run this on a Windows XP Home machine. I changed the registry for "nondefaultadminowner" to 0 as described and have set an "administrator" password on the computer. However, when I run MakeMeAdmin from my limited user account, I am unable to type in the command screen. It does register when I hit return and I get the following error: Enter the password for DANAdministrator: Attempting to start C:DOCUME~1DANREC~1DesktopMAKEME~1MAKEME~1.CMD DANDan R eckner as user "DANAdministrator" ... RUNAS ERROR: Unable to run - C:DOCUME~1DANREC~1DesktopMAKEME~1MAKEME~1.CMD DANDan Reckner 1327: Logon failure: user account restriction. Possible reasons are blank passw ords not allowed, logon hour restrictions, or a policy restriction has been enfo rced. Press any key to continue . . . Please help me to figure out why I can't type during the prompt. Thanks [Aaron Margosis] Make sure that both accounts have passwords, and that the script is in a location that is readable by both accounts (e.g., not on the admin's desktop).
Anonymous
December 17, 2007
Aaron, I did not have a password on the limited account and have since set one up. The script is in a folder on the desktop of the limited account. However, I am still getting the same error. Is there any thing else I can try?? Any help would be greatly appreciated. Thanks, Dan [Aaron Margosis] Try putting it in a shared location rather than in a folder belonging to one user. E.g., copy it to the All Users Documents folder (Shared Documents).
Anonymous
January 04, 2008
same as latest question, after i put makemeadmin in shared document(My computer => shared document), after that what must i do???still not know how to work.sorry if my english language worst.thanks before
Anonymous
February 28, 2008
The comment has been removed
Anonymous
March 08, 2008
PingBack from http://www.pcsympathy.com/blog/2008/03/08/more-ways-to-surf-safely/
Anonymous
March 15, 2008
Aarona can you please tell me how to got the admin password of my computer to which i have a physical access and using the limited account. thanx. [Aaron Margosis] No, I can't.
Anonymous
March 17, 2008
The comment has been removed
Anonymous
April 11, 2008
Very interesting script. Users in my workplace do not have admin rights on their machines. So to install something we have to login with our credentials. I was writing a script that maps the network drive with my credentials and then open iexplorer window again with my credentials. The problem is that in that I.E window I can see C: drive but can't see the mapped Network drive. Is there a way this script can help me ? My script is: @echo off Echo Please enter your username. set /p User= NET USE I: %logonserver%software /USER:mydomain%User% * runas /user:mydomain%User% "c:Program FilesInternet Exploreriexplore.exe"
Anonymous
May 13, 2008
PingBack from http://www.hardbop200.com/2008/04/23/batch-script-to-run-control-panel-applets-as-admin/
Anonymous
June 17, 2008
Hi, At school I have 2 accounts, one Admin/PU for working on the server and past and current student databases etc and one which I use for normal classes. I am really struggling to understand what I am supposed to do to set this all up. Could you please possibly give me a step by step instruction set up for all of this It is appreciated heaps Sam
Anonymous
June 27, 2008
Hello, Can someone help? I had a Administrator Account & Limited Account on my Laptop but i accidentally deleted the Administrator Account. Now the only Account that i have is the Limited Account. There is no Administrator account under user Accounts. How can i get around this? I am not able to access any files. Tanks,
Anonymous
June 28, 2008
I think there is another "Administrator" account on XP machines, not protected with a password by default, but removed from the login menu as soon as you create your own Admin account. Take a look at http://www.ncsu.edu/resnet/windows/passwords/xp_passwords_admin.php or do a web search for "hidden administrator account" (without the quotes), you might find the answer you are looking for. Good luck! -Les.
Anonymous
July 11, 2008
Hey! I am using this script! I saw in one comment! You must try!

@echo off Echo Please enter your username. set /p User= NET USE I: %logonserver%software /USER:mydomain%User% * runas /user:mydomain%User% "c:Program FilesInternet Exploreriexplore.exe"

Thanks for every information. These are very useful! Thank you so much... King Regards!

Anonymous
August 23, 2008
1uI'll thingk about it.0w I compleatly agree with last post. hvr <a href="http://skuper.ru">паркет</a> 2k
Anonymous
November 05, 2008
I'm on a pc with both an Administrator and Limited User account. However the Limited User a/c has a blank password therefore as I understand it, this solution does not work. What alternative solution is there for me that functions like MakeMeAdmin but accepts a Limited User a/c with no password? I do have the Admin password. I just don't want the hassle of logging in and out and in and out... [Aaron Margosis] It will probably work if you remove the restriction on blank-password local accounts. Caveat is that you do increase your security risk by doing this. Local Security Policy (secpol.msc): Security Settings Local Policies Security Options; "Accounts: Limit local account use of blank passwords to console logon only". Change from Enabled to Disabled. Probably requires reboot. Caveat again is that you do increase your security risk by doing this.
Anonymous
November 23, 2008
hi my 12 year old changed my admin password and now the only way we can use the computer is thro her restricted account ....is there a way to make her account admin with out the admin password....so i can get my account back.. thanx 4 all the help
Anonymous
December 18, 2008
How to del the temperary profile and log in to the normal administrator account.??? [Aaron Margosis] Sorry - no idea what you're asking here...
Anonymous
January 13, 2009
need help : i was so confused for long time.. how to remove password while i plugged in a flashdisc on limited user? anybody know this .. help me please..
Anonymous
February 03, 2009
The comment has been removed
Anonymous
May 22, 2009
I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk). Is it possible trough MakeMeAdmin? How? Thank you.
Anonymous
May 22, 2009
I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk). Is it possible trough MakeMeAdmin? How? Thank you.
Anonymous
May 22, 2009
I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk). Obviously I can't write the password every time the screensaver start Is it possible trough MakeMeAdmin? How? Thank you.
Anonymous
May 22, 2009
Sorry, I posted my question three times by mistake, plese remove the first two, thank you
Anonymous
June 02, 2009
When I enter the admin password correctly, then the user password incorrectly, it leaves the user setup as an admin. Is there a fix for this? I'd hate to accidentily leave a user as an admin because they mistyped their password.
Anonymous
June 02, 2009
Correction, this only happens if after mistyping the password instead of "pressing any key to continue" you instead close the dos window. Can we modify this to remove before "press any key" when the password is wrong? [Aaron Margosis] Go ahead -- it's a .cmd file, so you can edit it with Notepad. Might be easier just to add an ECHO statement saying "Press any key, DO NOT JUST CLOSE THE WINDOW."
Anonymous
June 03, 2009
The comment has been removed
Anonymous
November 19, 2009
The comment has been removed
Anonymous
November 19, 2009
Aaron, Thanks for the quick update. I have moved the filed to C:MakeMeAdmin - I believe this is a shared location. I have also tried C:Program FilesMakeMeAdmin. I still get the same error. Can you tell me what to check about 8.3 file names (not sure what that means) and what I should check for permissions?? Thanks [Aaron Margosis] Just re-read your first... The rest of the error text for that error message is: "Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced." Are you sure both the admin and non-admin accounts have non-blank passwords? Do you have logon hour restrictions applied, or is the admin account you're using disabled? If your admin account is not called "Administrator", you need to change the script to use a different account name that has admin rights.
Anonymous
April 19, 2010
If you do like this it allows user accounts without password & it makes default owner group Administrators. When install is finished, it reverts default owner back to object creator: @echo off REM ******************************************************************** REM This batch file starts a command shell under the current user account, REM after temporarily adding that user to the local Administrators group. REM Any program launched from that command shell will also run with REM administrative privileges. REM REM You will be prompted for two passwords in two separate command shells: REM first, for the password of the local administrator account, and REM second for the password of the account under which you are logged on. REM (The reason for this is that you are creating a new logon session in REM which the user will be a member of the Administrators group.) REM REM CUSTOMIZATION: REM The following values may be changed in order to customize this script: REM REM * Prog : the program to run REM REM * Admin : the name of the administrative account that can make changes REM to local groups (usu. "Administrator" unless you renamed the REM local administrator account). The first password prompt REM will be for this account. REM REM * Group : the local group to temporarily add the user to (e.g., REM "Administrators"). REM REM * User : the account under which to run the new program. The second REM password prompt will be for this account. Leave it as REM %USERDOMAIN%%USERNAME% in order to elevate the current user. REM ******************************************************************** setlocal set Admin=%COMPUTERNAME%Administrator set Group=Administrators set Prog="C:mYAPP.EXE" set User=%USERDOMAIN%%USERNAME% if "%1"=="" ( runas /u:%Admin% "%~s0 %User%" if ERRORLEVEL 1 echo. && pause ) else ( echo Adding user %* to group %Group%... net localgroup %Group% "%" /ADD if ERRORLEVEL 1 echo. && pause echo. echo Allowing for blank passwords... reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 0 /f if ERRORLEVEL 1 echo. && pause echo. echo Starting program in new logon session... runas /u:"%" %Prog% if ERRORLEVEL 1 echo. && pause echo. echo Limiting blank passwords... reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 1 /f if ERRORLEVEL 1 echo. && pause echo. echo Removing user %* from group %Group%... net localgroup %Group% "%*" /DELETE if ERRORLEVEL 1 echo. && pause reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v nodefaultadminowner /t REG_DWORD /d 0 /f color CA echo. echo. echo CLOSE THIS WINDOW AFTER INSTALL IS FINISHED!... echo. echo. pause reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v nodefaultadminowner /t REG_DWORD /d 1 /f ) endlocal
Anonymous
May 10, 2010
Hi, I dont have admin password and my id not belongs to admin group, i need to put my id in adminstrator group, any idea? i tried make me admin but asking admin passwrd, Any idea? Really thanks
Anonymous
June 13, 2010
I forgot my password to my Admin. account, so im stuck with using limited. Does anyone know the easiest way to recover it back? Please msg me on myspace, if you have useful information.
Anonymous
July 02, 2010
it still asks for an admin password
Anonymous
July 03, 2010
This is a boon. I needed to change power settings on a machine for a user without a local account who logs in via a domain, and this did the job. Thank you, thank you.
Anonymous
July 06, 2011
The comment has been removed
Anonymous
November 09, 2012
Can this website make me a admin in graal online era
Anonymous
December 17, 2012
The comment has been removed
Anonymous
December 17, 2012
It's a bit messy - I can see that. Sorry Have not cleaned up very well - but it works ;-)
Anonymous
October 09, 2013
is it possible to include the administrator password into the program? [Aaron Margosis] No. By design, RunAs.exe does not provide an interface for submitting a password. It is designed to be used interactively rather than fully scripted.

Share via

MakeMeAdmin -- temporary admin for your Limited User account

Comments

Additional resources