Udostępnij za pośrednictwem


MakeMeAdmin -- temporary admin for your Limited User account

[added March 11, 2005: Important follow-up here: https://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx ]

[edited Aug 6, 2012: That follow-up post now includes the MakeMeAdmin.zip download, as the original hosting server is being decommissioned.]

 

Common scenario: you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.). When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account. You quickly realize two things:

  1. The program running as local Administrator cannot access network resources, since your local account is recognized only on your own computer; and
  2. Any per-user settings apply to the local Administrator’s profile, not to the profile you normally work with.

The first problem often occurs when installing software from a network share, or an ActiveX control from an intranet site that uses Windows authentication. An area where the second problem crops up is with applications that assume that it will be installed by the same user who will use it. Some apps also have a “run-once” problem, in which the app needs to be executed one time with admin privileges. For some, such as Windows Messenger 4.x, each user has to run it one time with admin privs.

The per-user settings problem also occurs with the Power Options applet in Control Panel, which modifies both per-machine and per-user settings. When you use it from an unprivileged account, an error occurs writing the per-machine settings, so the per-user settings never get written. When you use it from the local admin account, the per-user settings you write are for the local admin account, not the account you normally use.

 

There are a number of ways to address the network access problem. The first of these that I’ll describe also addresses the user profile problem.

Elevating your normal account to admin

The only effective way I know of to address the user profile issue is to make your “normal” account an administrator. The trick is to do it for the least amount of time necessary.

The long and painful way

Using an admin account, you can add your normal account into the Administrators group, but that change doesn’t take effect until the next time you log on. If you’ve tried this, you’ve probably noticed that it’s a pain to add your domain user account into the Administrators group using the GUI – first you need to use RunAs to run the Computer Management / Local Users and Groups console; you then get prompted for network credentials to resolve the domain names because your local admin account isn’t recognized. And then when you’re done with all that, your current logon still doesn’t have admin privileges because changes to groups and privileges only take effect on subsequent logons. Finally, you need to remember to remove yourself from the Administrators group and then log back in again to make that change take effect.

“MakeMeAdmin”

MakeMeAdmin.cmd addresses all of these issues. When you run it, you get a Command Prompt running under your normal user account, but in a new logon session in which it is a member of the Administrators group. This Command Prompt and any programs started from it use your regular profile, authenticate as you on the network, but have full local admin privileges. All other programs continue to run with your regular, unprivileged account.

How does it work? Remember a moment ago when I mentioned that changes to groups and privileges take effect only on subsequent logons? The critical thing to understand is that you do not actually need to log out in order to log on. If you use RunAs to start a process with your current account, it creates a new logon session and builds a new token, taking into account group memberships in effect at that instant. MakeMeAdmin.cmd invokes RunAs twice, prompting you first for your local admin password, then for your current account password. The bit that runs as local administrator does the following:

  1. Adds your current account to the local Administrators group (using NET LOCALGROUP, avoiding the problem of needing network credentials to resolve names);
  2. Invokes RunAs to start a new instance of cmd.exe using your current account, which is at this instant a member of Administrators;
  3. Removes your current account from the local Administrators group.

The result of the second step is a Command Prompt running in a new logon session, with a brand new token representing your current account, but as a member of Administrators. The third step has no effect on the new cmd.exe’s token, in the same way that adding your account to Administrators does not affect any previously running processes.

The zip file (attached to this post) also includes a less-privileged version, MakeMePU.cmd, which temporarily elevates you to Power Users instead of Administrators.

A very brief bit about processes and tokens

I’ll try to keep this as brief and broad-brush as possible. What follows is not 100% accurate and complete, but if you’re unfamiliar with the concepts I think you might find it helpful:

  • Every program in Windows runs in a “process”. A process may display zero or more windows. You can see a list of the running processes by starting Task Manager and clicking on the “Processes” tab. If you click on the “Applications” tab, then right-click on one of the items listed there and choose “Go To Process”, it will show you which process that “application” is running in.
  • A “token” identifies a user, the Windows groups that user belongs to, and a set of system privileges, such as the ability to change the computer’s clock. When a user logs on (including with RunAs), the system creates a new token for the user, determining at that time what groups the user is a member of and which privileges the user should have. Once a token is created, one can’t add or (generally) remove any groups or privileges from the token.
  • Every process always has a token. In almost all cases, its token is a copy of that of its parent process (the process which started it).
  • Whenever a process tries to access a securable object (such as a file or a registry key), an access check is performed by comparing the process’ token to the “access control list” (ACL) of the object. The result of that access check determines whether the requested access is allowed or denied.

Addressing the network resource access issue

If you prefer to use the local administrator account, but need to use your domain account for network access, there are a couple of other approaches:

From your local admin Command Prompt, you can simply NET USE to authenticate to the specific resources you need to access. You need to authenticate separately this way for every remote computer you wish to access. NET USE is logon-session specific, so any connections established in one Command Prompt affect only processes started within the same RunAs session.

Another commonly used approach is to use RunAs with /netonly. The /netonly option starts the target process in a new logon session with the current token, but with the account you specify for all SSPI-based network access. You can kind of think of it as implicitly calling NET USE for every remote computer you try to access. Here’s how you might use it (ignore word-wrapping – this should be one line):

runas /u:%COMPUTERNAME%\Administrator "runas /netonly /u:%USERDOMAIN%\%USERNAME% cmd.exe"

(If you have renamed your builtin Administrator account, change “Administrator” to the new name.)

As with MakeMeAdmin, RunAs is used twice and you’ll get prompted for two passwords: that of the local Administrator, and that of your current account. What you’ll get is a Command Prompt running under the local Administrator account, using the local Administrator profile, but authenticating on the network with your domain account. (Confusingly, the title bar will say that you’re running as the domain user rather than as the local administrator.)

Tradeoffs of MakeMeAdmin vs. using the builtin Administrator account

Personally, I prefer using MakeMeAdmin. The main issues I have run into with MakeMeAdmin are 1) telling privileged from unprivileged apps, 2) Explorer issues, and 3) issues with objects created while running with elevated privilege.

1. Telling privileged from unprivileged apps

In two previous posts, I echoed Keith Brown's suggestion to change the admin’s background bitmap for Explorer and Internet Explorer so that you could tell your admin windows from your non-admin ones. But with MakeMeAdmin, you can have different IE and Explorer windows all running as “you”, but some with administrator privileges and others not. The background bitmap settings are associated with user accounts, not with privilege levels, so they don’t help you in this scenario.

I promised to provide a solution. It’s called PrivBar and it adds a toolbar to your IE and Explorer windows that lets you know at a glance at what privilege level that particular instance is running. At this point I will have to postpone it to a future post – this post is already very long and very overdue! I will try to post it really soon! [July 24, 2004, 11:40pm Eastern US time: It's up! https://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx ]

2. Explorer issues

If you want to start explorer.exe from a MakeMeAdmin context, you need to set the Separate Process flag for your normal account, and you must start explorer.exe with /root, in the command line unless there are no other Explorer windows running. For more information, read my post about using RunAs with Explorer, paying close attention to “More info about Explorer’s Separate Process flag” and the references to explorer.exe command line options.

3. Objects created while running with elevated privilege

Normally, when a user creates a securable object, such as a file, folder, or registry key, that user becomes the “owner” of the object and by default is granted Full Control over it. Prior to Windows XP, if the user was a member of the Administrators group, that group, rather than the user, would get ownership and full control. The user still had ownership and control over the object by being a member of Administrators. But if you created objects while a member of Administrators and then were removed from the group, your subsequent use of those objects could be limited or completely denied. Windows XP introduced a configurable option whether ownership and control of an object created by an administrator would be granted to the specific user or to the Administrators group. The default on XP is to grant this to the object creator; the default on Windows Server 2003 is to grant it to the Administrators group.

I’m not on the Windows team and was not party to the thinking that went into exposing this option and establishing its defaults. My guess is that it was that on the server, all admins are equal. If I’m an admin on a server and I create an object and am later reassigned or leave the company, any other admin should be able to access and manage the objects I created without any trouble. A workstation, however, is more likely to be a single-user device. Objects I create on my computer, such as documents, should remain under my control even if I change myself from a Computer Administrator to a Limited User (to use XP Home Edition’s terminology). I think this makes a lot of sense.

However, MakeMeAdmin changes things. If I use MakeMeAdmin to install programs, my normal account will be granted ownership and full control over the installation folder, the program executable files, and any registry keys the installation program creates. Those access rights will remain even when I am no longer running with administrator privileges. That’s not what I want at all. I want to be able to run the app, create and modify my own data files, but not to retain full control over the program files after I have installed it. For this reason, I changed the “default owner” setting on my computer to “Administrators group”.

To view or change this setting, open “Local Security Policy” in Administrative Tools, or run secpol.msc. You need to be an admin to use this tool. In the left pane, browse to Security Settings \ Local Policies \ Security Options. The policy name is “System objects: Default owner for objects created by members of the Administrators group”. The allowable settings are “Administrators group” or “Object creator”.

Coming Real Soon

  • PrivBar
  • Running with a restricted token (what does “protect my computer and data from unauthorized program activity” actually mean)
  • ???

Comments

  • Anonymous
    July 23, 2004
    Thank you for the excellent informative posting

  • Anonymous
    July 23, 2004
    Thanks Aaron, I've been eagerly awaiting this post... Looking forward to the privbar

  • Anonymous
    July 25, 2004
    On a German Windows one has to change in the batch file the group name from Administrators to Administratoren ;-) It works perfect now!

  • Anonymous
    July 25, 2004
    Very informative post for me. Thanks for the lesson, now maybe I will try to run as non-admin.

  • Anonymous
    July 25, 2004
    Daniel, thanks for the note. I should have mentioned that the script can be customized, for localization or any other reason. Thanks for pointing it out.

  • Anonymous
    July 26, 2004
    I had to make a change or five to get the batch file to handle user names with embedded spaces. Wasn't exactly a trival change, either, given the existence double quotes already in the cmd file. (And, no, just using " didn't help, either). Once I've got it cleaned-up, I'll post here.

  • Anonymous
    July 26, 2004
    ToddM - thanks, good point. Does this work for you? (I've tried it and it seems to work for me...) Mostly just replace instances of %1 with "%". I've only tried this with the current username with an embedded space - didn't try domain/workgroup name with embedded space, or a renamed admin account with an embedded space.


    @echo off
    setlocal
    set Admin=%COMPUTERNAME%Administrator
    set Group=Administrators
    set Prog="cmd.exe /k Title *** %
    as Admin *** && cd c: && color 4F"
    set User=%USERDOMAIN%%USERNAME%

    if "%1"=="" (
    runas /u:%Admin% "%~s0 %User%"
    if ERRORLEVEL 1 echo. && pause
    ) else (
    echo Adding user %* to group %Group%...
    net localgroup %Group% "%" /ADD
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Starting program in new logon session...
    runas /u:"%
    " %Prog%
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Removing user %* from group %Group%...
    net localgroup %Group% "%*" /DELETE
    if ERRORLEVEL 1 echo. && pause
    )
    endlocal

  • Anonymous
    July 29, 2004
    "iexplore.exe -new" will do what you want without setting any special settings.

  • Anonymous
    July 29, 2004
    Ari - what does -new do for iexplore.exe? Wasn't that for starting IE 4.x in a new process? Starting iexplore.exe always results in a separate process now.

  • Anonymous
    August 02, 2004
    We use a similar process here for our Zenworks Deployments. In some instances the Zenworks tool will not properly elevate a user which then requires us to add a user to the admin group, then remove them. I have devloped a tool called Authenti-key for NT that allows you elevate installs as an administrator. IT works on 95 - XP. You can create an elevated CMD window and perform any admin task from there. Similar to SU and can be used in scripting.

    Here is a link.

    http://downloads-zdnet.com.com/Authenti-Key-for-NT-AKEY-/3000-2094-10153448.html?tag=lst-0-1

    Great work on the script. !!

  • Anonymous
    August 10, 2004
    Use MakeMeAdmin.cmd when installign software

  • Anonymous
    August 10, 2004
    Use MakeMeAdmin.cmd when installign software

  • Anonymous
    August 11, 2004
    This is an interesting script. It has some room for error but I have an idea about how to avoid that. Some fellow who seems to work for Microsoft in some capacity has written a batch script called MacMeAdmin that...

  • Anonymous
    August 11, 2004
    thanks a lot for this superb script. I was looking for a solution that addresses the issues with "RunAs" for a long time.

  • Anonymous
    August 11, 2004
    Great utility. The one problem we ran into is that we have the "installation" file on a netware server, and can't point to the network drive mapping.

  • Anonymous
    August 11, 2004
    Carolh - Correct. SMB sessions (e.g., NET USE connections and drive mappings) belong to a logon session. Since MakeMeAdmin runs in a separate logon session from your main shell, it doesn't automatically get the shell session's drive mappings. (I assume the same or similar is true with IPX/SPX stuff.) You can create a new connection within the MakeMeAdmin session using NET USE or the NetWare equivalent.

  • Anonymous
    August 11, 2004
    The comment has been removed

  • Anonymous
    August 11, 2004
    "Common scenario: you log on with your Windows domain account, which you have removed from the Administrators group (as well as from Power Users, Backup Operators, etc.) . When you need to perform tasks that require elevated privileges, you use RunAs to start a program with the local Administrator account. You quickly realize" that this is a pain in the posterior! Here's how to go about it much easier and without the limitations....

  • Anonymous
    August 11, 2004
    Toby - I've never had my code called "cute" before. Thanks?

    The term you are looking for in the 2nd paragraph is "desktop" - as in, the Win32 construct that is defined within a Window Station. (See http://msdn.microsoft.com/library/en-us/dllproc/base/desktops.asp) . Any program (more accurately, any thread) running on a particular desktop can access any window running on that desktop, send it messages, simulating keystrokes and mouse events, etc. When you use RunAs, you're creating a new program running in a different security context, but on the same desktop, so the risk you identified exists. With Fast User Switching, you are switching to a different desktop and are not vulnerable to those kinds of attacks. I pointed to Fast User Switching in an earlier post called "The easiest way to run as non-admin"; it is IMO also the most secure way to run as non-admin for the reason you point out. However, FUS isn't available for domain-joined machines.

  • Anonymous
    August 11, 2004
    The comment has been removed

  • Anonymous
    August 11, 2004
    I looked at my Local Security Policy on my XP machine and "System objects: Default owner..." is set to "ObjectCreator". However when I check the ownership of files, e.g. Adobe Acrobat Reader and others under "Program Files" the owner is my local machine's administrators group and not my account (which currently is part of the administrators group).

    My machine isn't part of a domain.

  • Anonymous
    August 11, 2004
    Rage on Omnipotent » Make me admin

  • Anonymous
    August 12, 2004
    The comment has been removed

  • Anonymous
    August 12, 2004
    The comment has been removed

  • Anonymous
    August 12, 2004
    Marc Poljak: as far as I know, RUNAS.EXE does not let you enter passwords through stdin. This is probably to discourage the practice of storing passwords in plain text files.

  • Anonymous
    August 12, 2004
    The comment has been removed

  • Anonymous
    August 13, 2004
    The comment has been removed

  • Anonymous
    August 13, 2004
    Sean McL, re RDP back to localhost: I'm referring to the fact that your RDP client app (typically mstsc.exe) is on the same desktop as your non-privileged logon. Unprivileged apps could (at least theoretically, I haven't tried it) send messages to the mstsc window to direct key and mouse events to the remote desktop.

    I'll tackle your next post after I get some coffee :-)

  • Anonymous
    August 14, 2004
    Aaron Margosis: I love this blog, thank you so much for the time and effort!

    Aaron && Sean: Considering the whole same desktop/message issue (how hard would it be for malware to find a process with admin rights? furthermore why isnt there any security for messaging), it seems that Sean's solution, Scary User Switching, as its now officially known :D, seems to be the best one. I'm not sure what the 'previously running apps' are either. They only thing they could be are things started by user logon scripts. According to this <http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/regentry/12330.asp> the only things userinit does are run logon scripts, establish network connections, and then start explorer. so if your special MakeMeAdmin account isnt running anything with loginscripts, the first thing to run should be explorer.

    One thing I think might be better. Instead of making a custom userinit application (which would need to call userinit anyway to reestablish network connections), couldn't we set user specific paths to explorer, by changing Shell in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingsystem.iniboot from "SYS:MicrosoftWindows NTCurrentVersionWinlogon" to "USR:SoftwareMicrosoftWindows NTCurrentVersionWinlogon". Then create the Shell entry in that key for each user and point set them to explorer.exe. Except for your special MakeMeAdmin account, set it to the properly modified MakeMeAdmin.cmd.

    Marc Poljak: storing the admin password in the file would defeat the purpose. i don't see any prob with using the savecred option to eleminate having to type in the password for the current user account though. it would be saved in the admin's credentials folder.

  • Anonymous
    August 14, 2004
    Will the one issue with your approach is that any processes launched by the login scripts will now be running with the Admin token and not the regular user account in the admin group. Also the network connections will be established with the admin account.

    So you'll have a mix of accounts which is what I was trying to avoid with the custom userinit approach.

  • Anonymous
    August 14, 2004
    Will Brown: Yes, I know that storing a password in a plain text file is a very bad idea, but there are tools with which you can transform a BAT file into a EXE and then obfuscate the code in order to prevent the retrieval of the password via a hex editor. With a script like MakeMeAdmin you can launch a new command shell with elevated privileges or you can launch all kind of things through a logon script. This is useful if you do not have Group Policies and Active Directory at your disposal or an installed "agent" on the client, which runs under the local system account.

    But, with the /SAVECRED option I have the result which I was looking for (well, not quite what I wished, but it works and that's important!). So, thank you for getting me on the right track.

    Cheers,

    Marc Poljak

  • Anonymous
    August 16, 2004
    I experienced a similar problem with right delegation and I developed a little utility called MyRunAs that allow you to run a program impersonating another user (like Windows RunAs) but it generate an executable where there are the user credentials and the program name crypted.
    Take a look on http://spazioinwind.libero.it/vittoriop/myprojects.html
    Regards

    Vittorio

  • Anonymous
    August 16, 2004
    Sean McLeod - The first time I read your post about what I called "Scary User Switching" I misunderstood exactly what you were doing. I guess it might work - have you tried it?

    Note that once you apply SAVECRED, the creds can be used with other apps as well, not just the one you specified.

  • Anonymous
    August 16, 2004
    Aaron, yes what I was proposing was really just a combination of your suggestions with hopefully the best benefits of both, i.e. using a separate admin account with FUS and using MakeMeAdmin to create a logon token that is a combination of your regular (LUA) in the admin group (call this your 'MakeMeAdmin' account, although it's not really a separate distinct user account).

    So you end up with a separate desktop session and all the added security benefits that brings but at the same time instead of running processes in this desktop as the administrator account and the potential hassles that brings with network credentials, installing software etc. you run as your special 'MakeMeAdmin' account.

    I'll test it out on a test machine in the next couple of days and let you know how it works, just a bit busy with some 'real' work ;-)

  • Anonymous
    August 18, 2004
    I was wondering what it would take make this into a SHell extension to create a kind of SUPER_Runas feature. Would be awesome to be able to right-click on an app/shortcut and run as any user elevated to Admin or poweruser etc.

  • Anonymous
    August 18, 2004
    I was wondering what it would take make this into a SHell extension to create a kind of SUPER_Runas feature. Would be awesome to be able to right-click on an app/shortcut and run as any user elevated to Admin or poweruser etc.

  • Anonymous
    September 02, 2004
    Will's Blog - Adventures of an IT Grad &raquo; Running as Limited User and Having temporary admin priveledges

  • Anonymous
    September 03, 2004
    Nerhood Weblog - Digital Diary - Family, Work, Technology, Books and Media &raquo; MakeMeAdmin &#8211; temporary admin for your Limited User account

  • Anonymous
    September 05, 2004
    reuteras.com &raquo; Bra verktyg f?r Windows

  • Anonymous
    September 17, 2004
    The comment has been removed

  • Anonymous
    October 25, 2004
    Aaron Margosis is a Microsoft employee who is writing a weblog on running Windows with least privilege on the desktop. If you are having trouble running applications under an account with less privileges than administrator, there are many useful suggestions...

  • Anonymous
    February 15, 2005
    chris.webdevlab.com &raquo; The Non-Admin Blog

  • Anonymous
    March 11, 2005
    MakeMeAdmin script updates, and a security setting you should change

  • Anonymous
    April 18, 2005
    Complete list of Aaron Margosis' non-admin / least privilege posts, for easy lookup.

  • Anonymous
    May 30, 2005
    Installing .inf files if you are living the non-admin lifestyle

  • Anonymous
    June 05, 2005
    I learn something usefull today!

  • Anonymous
    June 10, 2005
    Get your friends and family, all those folks that come to you for computer help once their machines have...

  • Anonymous
    June 15, 2005
    The comment has been removed

  • Anonymous
    July 05, 2005
    Ok, ik heb vandaag wat sessies gevolgd over de security improvements in het Longhorn timeframe en hoe...

  • Anonymous
    July 10, 2005
    Very handy tool for those of us that rightly develop under the 'least privileged' user context.

    MakeMeAdmin...

  • Anonymous
    July 10, 2005
    Very handy tool for those of us that rightly develop under the 'least privileged' user context.

    MakeMeAdmin...

  • Anonymous
    July 29, 2005
    The comment has been removed

  • Anonymous
    August 25, 2005
    Anyone know how to gain Administrative Privilages with a Limited Account if you don't know the password?

  • Anonymous
    November 05, 2005
    How can you get around typing in the local administrator password?

  • Anonymous
    November 15, 2005
    The comment has been removed

  • Anonymous
    January 20, 2006
    This little utility inspired me to write a service based app that allows you to launch any program as yourself with an admin token. If anyone want's to try it out and comment, you can grab it here....

    http://home.toadlife.net/blog/weblog.pl?trackback=1

    Thanks Aaron. :)

  • Anonymous
    January 30, 2006
    it does'nt work with me...it's asking for admin password which i don't know.

  • Anonymous
    January 31, 2006
    Archos - that is correct. You need to have the admin password in order to do this. Otherwise it would be an unauthorized elevation of privilege!

  • Anonymous
    February 01, 2006
    Not sure what I'm doing wrong, but running this gives me an error after entering the first local admin password:


    Enter the password for ADMINCOMPAdministrator:
    Attempting to start C:DOCUME~1MSMITH~1.DOMDesktopMakeMeAdmin.cmdkeMeAdmin.cm
    d DOMAINmsmith as user "ADMINCOMPAdministrator" ...
    RUNAS ERROR: Unable to run - C:DOCUME~1MSMITH~1.DOMDesktopMakeMeAdmin.cmdkeM
    eAdmin.cmd DOMmsmith
    87: The parameter is incorrect.

  • Anonymous
    February 01, 2006
    Well running it from the root of the c drive works fine. Seems as though it just refuses to run properly from the desktop.

  • Anonymous
    February 06, 2006
    I cannot use your batch-files, nor a simple runas.exe.
    My administrator user name and password are in Hebrew. Moreover, the Administrator user name consists of more than one word. All of this is fine for me, it make me feel more secure and it works with "Shift-right-click-run-as".
    But: runas does not accepts it. (I'm using Windows XP Home Ed. SP2).
    Anyone has a suggestion ?

    Thanks

  • Anonymous
    February 24, 2006
    Try using quoatation marks for domain accounts, to avoid interpreting "" as directory separator in batch scripts

  • Anonymous
    February 24, 2006
    Vatroslav Mihalj - I'm not sure what problem you're trying to solve.  The script should already have quotes in the correct places - see where "%*" is used in the second part of the script.

  • Anonymous
    March 03, 2006
    I have a laptop with only one user.
    The past user, removed ALL users, except for
    the one guy getting the laptop.
    He is a Limited user, and we need to make
    him a Administrator and add a USB printer.
    Do you think this MakeMeAdmin will help?
    Thanks
    Mike Logsdon
    mlogsdon@senate.state.mo.us

  • Anonymous
    March 03, 2006
    Mike Logsdon - Rather than make the new user an admin, log on with the Admin account and install the printer from there.  I assume the previous user did not delete the built-in Admin account.  If there truly are no admin accounts left on the computer, reformat and reinstall Windows.  Note that in order to use MakeMeAdmin, you need to have the password for an admin account, and neither the Admin nor the User account can be blank-password accounts.

  • Anonymous
    March 07, 2006
    Have written a little tool based on Arons idea.

    Comments please here or to fli4l@online-barthel.de

    http://www.online-barthel.de/Download/makemeadmin/MakeMeAdmin.exe

  • Anonymous
    March 13, 2006
    Aaron, regarding Mike Logsdon's concerns, we have the same need.  I thought when you add a local printer, it only installs for that user.  If this is true, when you log on to the machine as the local admin, install the printer, log off and log on as the original user, then the local printer would not be listed.  

    Am I correct in thinking that the local printer is user specific?

    Thanks!
    Aaron

  • Anonymous
    March 24, 2006
    Aaron H.--

    "Local Printers"--those that you physically connect to your computer, as well as those for which you add a port (e.g. Unix Print Services/IP Printing)--exist for all users.  These must be installed by an administrator.

    "Network Printers," for instance those shared over a Domain/SMB can be installed by anyone.  Those printers exist only for the user who installs it.

    Hope this helps...

  • Anonymous
    March 25, 2006
    Why couldn't this be used to make an attack on Windows from a Limited User Account especialy for users with blank admin passwords

  • Anonymous
    March 26, 2006
    The comment has been removed

  • Anonymous
    March 27, 2006
    A systematic approach for working around LUA bugs that avoids unnecessary exposure - &quot;the rest of the story&quot;

  • Anonymous
    April 06, 2006
    Yinon Ehrlich, sorry for the delay in responding.  Two things:
    1.  The version of MMA that is currently posted supports usernames containing spaces; but
    2.  This is what I've been told about console apps and right-to-left languages like Hebrew:
    "Console apps don't support complex script languages, and this is by design. For all console apps on such languages we fall back to English. Now since the administrator user name and password are both in Hebrew the option to use Runas is not valid."

  • Anonymous
    April 10, 2006
    PingBack from http://skmullen.wordpress.com/2006/04/10/makemeadmin/

  • Anonymous
    April 27, 2006
    The comment has been removed

  • Anonymous
    April 28, 2006
    dhananjay singh - There are two sides to the "non-admin" issue:  users who are trusted to know when/how to elevate and do so judiciously, and users who are not trusted to make those decisions.  MakeMeAdmin definitely falls into the first group.  On my Table of Contents page I have separated out my posts based on that distinction:  http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx

  • Anonymous
    April 28, 2006
    PingBack from http://n3wjack.net/index.php/2006/03/10/running-windows-as-a-non-admin/

  • Anonymous
    May 03, 2006
    Tool to pass crypt admin password: http://robotronic.de/runasspc/

    Bye

  • Anonymous
    May 03, 2006
    cibgiu - see caveats about that approach here:
    http://blogs.msdn.com/aaron_margosis/archive/2006/03/27/562091.aspx

  • Anonymous
    May 11, 2006
    I can not get this to work. I get the bright dos window saying Admin but when I go to install it says Im not a admin.

    Please help

  • Anonymous
    May 11, 2006
    Sidney - what are you trying to install?  Note that not everything started from an elevated process will remain elevated:  Look for the section called "When RunAs won't work" in this post:
    http://blogs.msdn.com/aaron_margosis/archive/2004/06/23/163229.aspx

  • Anonymous
    May 22, 2006
    I try to be a good citizen, I really try. I tried to take the plunge today to create a non-admin user...

  • Anonymous
    May 24, 2006
    Please e-mail me back at dulitzki322@gmail.com, I'm a limited account and I don't have access to the admin's account, is there any way, maybe through cmd, to become an admin, or at least to make another admin account from a limited account. If not is there any way to find out an admin's password?

  • Anonymous
    June 16, 2006
    MSBee requires administrative rights to be installed and same thing is true for .Net Framework 1.1 SDK...

  • Anonymous
    June 19, 2006
    I'd heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database...

  • Anonymous
    June 19, 2006
    A new project has been just launched recently called sudoWn. It is based on the original MakeMeAdmin way but it is developed further for desktop PC users. You can find the project page @ http://sudown.mine.nu

  • Anonymous
    June 24, 2006
    PingBack from http://reparsed.net/2006/06/24/secure-surfing-six-months-later/

  • Anonymous
    June 29, 2006
    I had to change the system on my computer but did not have access to an admin account thanks to your help i could change the setting (that only could be accessed by an admin) and the computer doesn't stuff up anymore

    thanks denno

  • Anonymous
    July 06, 2006
    PingBack from http://jonc.wordpress.com/2006/07/06/change-group-membership-token-for-user/

  • Anonymous
    August 05, 2006
    how do i make my limited account to a admin account without a admin password... You can't.  If that were possible there would be no reason to have limited accounts. -- Aaron

  • Anonymous
    August 14, 2006
    Is there a way to gain the orginal password? after the admin password change. No. -- Aaron

  • Anonymous
    August 17, 2006
    Hmmm. I mistakenly tested MakeMeAdmin while already logged into my Admin account. Now my Admin account has mysteriously lost its Administrator privileges (it is now showing up as a Limited Account). Is there any way to recover from this situation?

    I tried a System Restore from the "Last known good configuration", but I had already rebooted before I noticed the problem, so the last "Good" configuration was no better. And my 'Get Out Of Jail Free' card (using System Restore to select a restore point that predates the problem) can't be used because System Restore needs to run from an account with Administrator privileges. Catch 22?

    This is on a system running XP Pro SP1. I'm half way through installing SP2 in a separate partition, so it's not a huge problem if this installation is beyond repair. But it does make me wary of trying MakeMeAdmin again.

    -Les. That problem has been noted before.  Some (at least partial) solutions are discussed in the comments to the follow-up post, particularly here and here. One can only do so much with a .cmd script.  Maybe one of these days I'll make a PowerShell version of the script. -- Aaron

  • Anonymous
    August 25, 2006
    PingBack from http://jeffhandley.wordpress.com/2006/08/21/wcf-troubles/

  • Anonymous
    August 30, 2006
    MakeMeAdmin And Console MatchMaker

  • Anonymous
    September 11, 2006
    The comment has been removed

  • Anonymous
    September 17, 2006
    How can I use it to uninstall programs or application?
    Can someone help me with this.... tnx! From a MakeMeAdmin command prompt, you can get to the Add/Remove Programs applet by running "appwiz.cpl". -- Aaron

  • Anonymous
    September 19, 2006
    I&amp;#39;d heard about this forthcoming edition of Visual Studio 2005 Team System (Team Edition for Database

  • Anonymous
    September 22, 2006
    I am an admin and I need to find out a limited user's password without changing it or them knowing. How? Sorry, there is no interface to support that.  Why do you need to do that? -- Aaron

  • Anonymous
    September 26, 2006
    same as secondary login......
    end task user's explorer.exe...and then use
    runas /user:administrator explorer.exe
    and there you will login as administrator...
    do the admin tasks and logoff from administrator .......
    now end task and start explorer.exe for user again...and you see that opened applications also wont get affected I've posted a better solution here that doesn't require killing your existing explorer.exe instances.  And, BTW, the idea you proposed doesn't address the scenarios that MakeMeAdmin (the subject of this post) was designed for. -- Aaron

  • Anonymous
    September 28, 2006
    Problematiken r&#246;rande lokala administrat&#246;rer, man st&#246;ter allt f&#246;r ofta p&#229; administrat&#246;erer som l&#246;ser...

  • Anonymous
    October 10, 2006
    Hi , this is a useful tool. I work in a large construccion company, and we use (in the headquarters) VNC for acessing computers located outside in numerous construccion sites. On these sites , the Pc's are in workgroups with acess to the domain network. What happens sometimes : people go from site to site , and have to change workgroup. Sometimes when you do this , you stop having access to VNC because the windows xp firewall blocks it . Is there a way to run MakeMeAdmin with the "netsh firewall set AllowedProgram" over ip or computer name? If not i'll just have to go there... Thanks. If the remote system is blocking remote administration, then you're not going to be able to change the firewall settings remotely. -- Aaron

  • Anonymous
    October 16, 2006
    Make one where you dont need ther administrators password because i stuffed up my computer by changing the admins password too fast =( You're asking for a hacker tool.  MakeMeAdmin is not a hacker tool, and I don't make hacker tools. :-) -- Aaron

  • Anonymous
    October 29, 2006
    Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app.

  • Anonymous
    October 29, 2006
    Look for transparent solution within a VB6 app to create special shared folder privledges for domain users ONLY when using the VB6 app. fintek@comcast.net

  • Anonymous
    November 21, 2006
    Can you send it a batch file to run in the final window.  I have a bat file containing the net use to map a network drive.  I would like this to run this in the final cmd window so that a drive is mapped in the admin session. Is this possible? Sure -- just add the batch file you want to the Prog variable.  The "/k" option means "run the following command when cmd.exe starts, and then continue running."  (The similar /c option runs the command you specify and then exits the shell.)  The && strings multiple commands together. HTH -- Aaron

  • Anonymous
    November 28, 2006
    The comment has been removed

  • Anonymous
    December 15, 2006
    We must logon now with a CAC card now.  Since then, I have been unable to use the MakeMeAdmin.  I can logon on the first part as Administrator and it successfully adds me to the administrator group.  It then asks for my limited account password and this is where it fails.  I get the following error in the DOS window:


Starting program in new logon session... Enter the password for MYDOMAINmyuserid: Attempting to start cmd.exe /k Title *** MYDOMAINmyuserid as Admin *** as user "MYDOMAINmyuserid" ... RUNAS ERROR: Unable to run - cmd.exe /k Title *** MYDOMAINmyuserid as Admin *** 1327: Logon failure: user account restriction.  Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced. Press any key to continue . . .


Is there anyway to fix this. David, does it work if you use MakeMeAdminSC, which comes in the same .zip download?  It uses "runas /smartcard" to do the "re-login" using smartcard credentials instead of a password.  From the MakeMeAdmin followup post: MakeMeAdminSC works just like MakeMeAdmin but uses smart card authentication for the current user instead of password authentication, via the runas.exe /smartcard option.  Insert your smart card before running MakeMeAdminSC; it will prompt you for the admin password, then for your smart card PIN.  (In order to work, the smart card needs to be associated with the account you’re currently logged in under.) -- Aaron

  • Anonymous
    December 18, 2006
    It adds me to the Admin group but it also fails in the second logon.  Here is the results:

Adding user MYDOMAINmyuserid to group Administrators... The command completed successfully. Starting program in new logon session... Reading smart cards..... The following errors occurred reading the smart cards on the system: No card on reader 2 Using the card in reader 1.  Enter the PIN: RUNAS ERROR: Unable to acquire user password Press any key to continue . . .


David, I suspect that since CAC cards are not standard, off-the-shelf smartcards, they may not be compatible with the expectations of Windows' built-in credential handling.  Feel free to contact me via the email link above to dig into this further. -- Aaron

  • Anonymous
    January 05, 2007
    PingBack from http://keycruncher.com/blog/2005/08/23/makemeadmin-windows-xp-admin-escalation-tool/

  • Anonymous
    January 15, 2007
    can this tool be used to make a logoff script reboot or shutdown a windows xp machine? it just seems to be impossible thanks Sorry, I just don't understand what you're asking here.  gpedit.msc will let you specify logon/logoff scripts. HTH -- Aaron

  • Anonymous
    January 26, 2007
    The comment has been removed

  • Anonymous
    January 27, 2007
    What is the temp admin password? How do you change it? www.greenlush.com

  • Anonymous
    January 28, 2007
    For users who'd like to automate typing in the admin password, a better alternative to RunAs would be using Mark Russinovich's PsExec.exe tool (part of the PsTools suite). PsExec allows you to specify the username and password in the commandline.

  • Anonymous
    January 29, 2007
    The comment has been removed

  • Anonymous
    February 02, 2007
    If its an issue, then you could make a program to launch psexec. That way you wouldn't be storing it in plaintext. To make it somewhat more secure, you could perhaps encrypt the password and obfuscate the exe.

  • Anonymous
    February 02, 2007
    The comment has been removed

  • Anonymous
    February 22, 2007
    The comment has been removed

  • Anonymous
    February 23, 2007
    The comment has been removed

  • Anonymous
    February 24, 2007
    The comment has been removed

  • Anonymous
    February 28, 2007
    I've been using MakeMeAdmin for quite a while, but on a recent install of XP on a laptop, when running Windows Explorer with elevated privileges, the view does not refresh after, for example, deleting or moving files. This happens with other dynamic views, such as Network Connections (if I turn off my wireless network card, it still shows it in the view unless I hit F5). This only happens when I use MakeMeAdmin to elevate privileges, under normal privileges (the user account is only in the Users group) the views refresh, and similarly if I log into the Administrator account, the views behave accordingly. I promise I've tried hitting Google up as many different ways as I could think of, but I'm at a loss, and out of five computers I run MakeMeAdmin on, this only happens on one. Any help would be most appreciated, thanks.

  • Anonymous
    March 01, 2007
    I'm having the same problem. The window with elevated privileges does not refresh, I have to hit F5. Not sure why. BTW, this also happens when I use WinSUDO (another great tool). Iggs/Vincent/and others: Hmm, I thought I had posted about this at some point, but I guess I haven't.  The problem is that the way Explorer does refreshes is that there is one central location, in one Explorer process, that performs the actual change monitoring. ()  When a change event occurs, that process notifies the Explorer windows that registered interest.  The problem is that the transferring of the information requires cross-process access, which gets blocked when the desktop Explorer tries to open the admin Explorer process. () Obvious question is "why was it done this way?"  The answer is (like many other answers) that Windows Explorer was architected for an OS that needed to be able to run on systems with 4MB of RAM.  Since Explorer was never designed to support multiple security contexts (and still isn't even on Windows Vista), there has not been a need to change this implementation. -- Aaron

  • Anonymous
    March 01, 2007
    The comment has been removed

  • Anonymous
    March 01, 2007
    The comment has been removed

  • Anonymous
    March 07, 2007
    Hello. I'm very very bad at using PCs. I need to get admin so I can use it to download some things but I'm not quite sure how to use MakeMeAdmin. Do I need to know the admin password (Which i dont know)? Maybe you can give a newbie step by step for a not very PC tunned person. Thanks in advance. Yes, you need to have the password for an admin account to use MakeMeAdmin. -- Aaron

  • Anonymous
    March 07, 2007
    The comment has been removed

  • Anonymous
    March 07, 2007
    Thats rubbish then. Is there anyway of getting temporary admin rites to download/install something? I really need to get something installed and can't. Thanks for the replies dude. Rubbish?  How?  Whose computer are you using, anyway?  If you need something installed, get a legitimate admin of the system to help you out. -- Aaron

  • Anonymous
    March 07, 2007
    Its my family PC. Lets just say my dad is the kind of person who thinks that doing the simplist of things will slow down the PC and make it rubbish. My dad is the admin so I dont think there is much of getting what I want done. Add me on msn if you can: greenink.chris@hotmail.com Its not rubbish by the way. Just not as good as I hoped :)

  • Anonymous
    March 17, 2007
    The comment has been removed

  • Anonymous
    March 19, 2007
    i prompt with this problem while running "MakeMeAdmin"..(my OS:XP prof with SP2) Enter the password for MyCompNameAdministrator:_ Attempting to start D:MakeMeAdminMAKEME.CMD MyCompNamemyuseraccount 1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced. Press any key to continue... MENDRES:  If the local admin account has a blank password, you can't use RunAs with that account - blank-pwd accounts can be used only for interactive logon, not for network logon or runas.  So in order to use MakeMeAdmin, neither the Admin nor the User account can be blank-password accounts. HTH -- Aaron

  • Anonymous
    April 10, 2007
    I've been running into some problems with this program. Well, I did download it, and know a little about cmd myself, but every time I run the program, it asks me for a password, which of course I don't know... Is there something I overlooked to surpass this problem? Please help.

  • Anonymous
    April 10, 2007
    Sorry for the double post, but here is what it leaves me with Attempting to start C:Docume~ ... RunAs Error: - Unable to run C:Docume~... 1326: logon failure: unknown user name or bad password Help? Matt:  Sorry, but there's insufficient information here.  Can you provide more detail? -- Aaron

  • Anonymous
    April 16, 2007
    PingBack from http://blog.donnael.com/?p=690

  • Anonymous
    April 17, 2007
    If i don't have the admin pass? It seems to does not work right? Any comment?

  • Anonymous
    April 17, 2007
    If i don't have the admin pass and using a limited account? It seems to does not work right? Any comment?

  • Anonymous
    April 17, 2007
    Aaron: Why don't you put a big red heading on the top of this page saying "This is NOT a hacking program- you NEED to know your Admin password for this program to work!" Would save you the trouble of having to reply to every newbie :) deXter:  Great idea.  Or I could just ignore them... :-) -- Aaron

  • Anonymous
    April 17, 2007
    lol...tehre was no need to say all these things, you could say two things.first, this is not hacking program, second (more logic, i don't know how... any way tnx for ur comments

  • Anonymous
    May 07, 2007
    The comment has been removed

  • Anonymous
    May 08, 2007
    The comment has been removed

  • Anonymous
    May 30, 2007
    Aaron, I apologize in advance if I'm asking this question in the wrong thread. I work for the U.S. government and we use two-factor authentication (Gemplus smartcards) in an Active Directory domain. My question (2 parts) is this; is it possible to use a runas command which authenticates through the smartcard? The main reason for this is to load user specific applications (so we have to be in their user environment). If not runas, would "net use" be capable? Thanks for any advice you can give me. Scott:  First:  try RunAs.exe /smartcard Next:  Take a look at the MakeMeAdminSC version of MakeMeAdmin, referenced in the follow-up post to this one:  http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx HTH -- Aaron

  • Anonymous
    May 30, 2007
    Aaron, Thank you for your help, and I apologize for not spending more time researching before taking up your time. Respectfully, Scott

  • Anonymous
    June 11, 2007
    The comment has been removed

  • Anonymous
    June 12, 2007
    PingBack from http://www.mcseboard.de/windows-forum-ms-backoffice-31/beschneide-administrator-115192.html#post711657

  • Anonymous
    June 20, 2007
    Hi, Please help me out: I just want to have the passwords as arguments in makemeadmin.cmd. Thanks. Vivian Vivian:  MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files. -- Aaron

  • Anonymous
    June 21, 2007
    its doesn't work for me it didn't give the second command shell

  • Anonymous
    June 28, 2007
    The comment has been removed

  • Anonymous
    June 28, 2007
    PingBack from http://www.rachner.us/blog/?p=6

  • Anonymous
    July 10, 2007
    Viruses and Spyware are annoying to deal with that’s why the following is a bit of a guide to make sure

  • Anonymous
    August 16, 2007
    Aaron, Is there a way to actually input the admin password, I will be using this on over 2000 laptops and each person assigned to one of these laptops I don't want to give them the admin password. So I want to see if the makemeadmin batch can be modified. Carlos [Aaron Margosis] MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files. That's a lot of systems to manage -- are they joined to a domain?  What kinds of tasks are you doing that require MakeMeAdmin?  There is likely a more scalable approach.

  • Anonymous
    August 18, 2007
    PingBack from http://tartley.com/?p=202

  • Anonymous
    August 21, 2007
    Thanks for this handy script, Aaron.  I had to make a small edit to get it to work for me: my Administrator doesn't have access to my limited user folders so it doesn't work to have the script call itself.  Instead, I told the script to put a copy of itself in the Shared Documents folder and run from there.  Here's the edit:

  • runas /u:%Admin% "%~s0 %User%"
  • if not exist "%AllUsersProfile%Documents%~nx0" copy "%~0" "%AllUsersProfile%Documents"
  • runas /u:%Admin% ""%AllUsersProfile%Documents%~nx0" %User%" Cheers, Rik [Aaron Margosis] MakeMeAdmin.cmd needs to be installed in a folder in which all users have at least Read permissions.
  • Anonymous
    September 18, 2007
    PingBack from http://martinz.wordpress.com/2007/09/12/restricted-user-account/

  • Anonymous
    September 25, 2007
    I am having the wirst luck! I need to have a script that reboots both Windows 2000 and Windows XP machines. I put the shutdown.exe file in a remote directory everyone has access to and point a bat file I made to run it from there, however, it days they do not have the correct privileges to run it. I even tried replacing the shutdown.exe method with a vbs script and it gives me the same privileges error! I'm stuck! Don't know what to do! djONE. [Aaron Margosis]  See this post.

  • Anonymous
    September 25, 2007
    The comment has been removed

  • Anonymous
    September 25, 2007
    The comment has been removed

  • Anonymous
    October 16, 2007
    PingBack from http://forums.x10hosting.com/tutorials/33416-how-make-your-computer-safer.html#post203262

  • Anonymous
    October 16, 2007
    PingBack from http://xtremenews.uni.cc/?p=37

  • Anonymous
    October 24, 2007
    Hi If I dont have admin privilege in the machine , what can I do...?Example, in our company we dont have admin privilege for a normal user. Also, If I have admin privilege, and want to use it very sparingly ( i mean only for the actions which demands admin power) and all other times be a normal user , what should I do? If a user in the domain is elevated to admin, then how can that user run  or develop applications as a non-admin .This is very important requirement to ensure the running of our developing applications will run with a local user of any machine..

  • Anonymous
    October 29, 2007
    this is stupid it doesn't work [Aaron Margosis]  ???

  • Anonymous
    December 02, 2007
    The comment has been removed

  • Anonymous
    December 11, 2007
    Is there a way to actually input the admin password, I will be using this on over 2000 laptops and each person assigned to one of these laptops I don't want to give them the admin password. So I want to see if the makemeadmin batch can be modified [Aaron Margosis] MakeMeAdmin is built on RunAs.exe, which specifically requires that passwords (or smartcard PINs) be typed at the console, to help avoid the security problems of passwords being stored in plain-text script files. That said, RunAs has a /savecred option (discussed in a different context in this post).  It doesn't expose the password directly, but it is possible for the password to be exposed.  Using /savecred also allows the user to run other things with the same account without having to enter a password.  And finally, once you allow something to run as admin, it is impossible to ensure that the admin rights will be used only for the tasks you think you're authorizing.

  • Anonymous
    December 14, 2007
    I am trying to run this on a Windows XP Home machine.  I changed the registry for "nondefaultadminowner" to 0 as described and have set an "administrator" password on the computer.  However, when I run MakeMeAdmin from my limited user account, I am unable to type in the command screen.  It does register when I hit return and I get the following error: Enter the password for DANAdministrator: Attempting to start C:DOCUME~1DANREC~1DesktopMAKEME~1MAKEME~1.CMD DANDan R eckner as user "DANAdministrator" ... RUNAS ERROR: Unable to run - C:DOCUME~1DANREC~1DesktopMAKEME~1MAKEME~1.CMD DANDan Reckner 1327: Logon failure: user account restriction.  Possible reasons are blank passw ords not allowed, logon hour restrictions, or a policy restriction has been enfo rced. Press any key to continue . . . Please help me to figure out why I can't type during the prompt. Thanks [Aaron Margosis]  Make sure that both accounts have passwords, and that the script is in a location that is readable by both accounts (e.g., not on the admin's desktop).

  • Anonymous
    December 17, 2007
    Aaron, I did not have a password on the limited account and have since set one up.  The script is in a folder on the desktop of the limited account.  However, I am still getting the same error.  Is there any thing else I can try??  Any help would be greatly appreciated. Thanks, Dan [Aaron Margosis] Try putting it in a shared location rather than in a folder belonging to one user.  E.g., copy it to the All Users Documents folder (Shared Documents).

  • Anonymous
    January 04, 2008
    same as latest question, after i put makemeadmin in shared document(My computer => shared document), after that what must i do???still not know how to work.sorry if my english language worst.thanks before

  • Anonymous
    February 28, 2008
    The comment has been removed

  • Anonymous
    March 08, 2008
    PingBack from http://www.pcsympathy.com/blog/2008/03/08/more-ways-to-surf-safely/

  • Anonymous
    March 15, 2008
    Aarona can you please tell me how to  got the admin password of my computer to which i have a physical access and using the limited account. thanx. [Aaron Margosis]  No, I can't.

  • Anonymous
    March 17, 2008
    The comment has been removed

  • Anonymous
    April 11, 2008
    Very interesting script. Users in my workplace do not have admin rights on their machines. So to install something we have to login with our credentials. I was writing a script that maps the network drive with my credentials and then open iexplorer window  again with my credentials. The problem is that in that I.E window I can see C: drive but can't see the mapped Network drive. Is there a way this script can help me ? My script is: @echo off Echo Please enter your username. set /p User= NET USE I: %logonserver%software /USER:mydomain%User% * runas /user:mydomain%User% "c:Program FilesInternet Exploreriexplore.exe"

  • Anonymous
    May 13, 2008
    PingBack from http://www.hardbop200.com/2008/04/23/batch-script-to-run-control-panel-applets-as-admin/

  • Anonymous
    June 17, 2008
    Hi, At school I have 2 accounts, one Admin/PU for working on the server and past and current student databases etc and one which I use for normal classes. I am really struggling to understand what I am supposed to do to set this all up. Could you please possibly give me a step by step instruction set up for all of this It is appreciated heaps Sam

  • Anonymous
    June 27, 2008
    Hello, Can someone help? I had a Administrator Account & Limited Account on my Laptop but i accidentally deleted the Administrator Account. Now the only Account that i have is the Limited Account. There is no Administrator account under user Accounts. How can i get around this? I am not able to access any files. Tanks,

  • Anonymous
    June 28, 2008
    I think there is another "Administrator" account on XP machines, not protected with a password by default, but removed from the login menu as soon as you create your own Admin account. Take a look at http://www.ncsu.edu/resnet/windows/passwords/xp_passwords_admin.php or do a web search for "hidden administrator account" (without the quotes), you might find the answer you are looking for. Good luck! -Les.

  • Anonymous
    July 11, 2008
    Hey! I am using this script! I saw in one comment! You must try!


@echo off Echo Please enter your username. set /p User= NET USE I: %logonserver%software /USER:mydomain%User% * runas /user:mydomain%User% "c:Program FilesInternet Exploreriexplore.exe"


Thanks for every information. These are very useful! Thank you so much... King Regards!

  • Anonymous
    August 23, 2008
    1uI'll thingk about it.0w I compleatly agree with last post.  hvr <a href="http://skuper.ru">паркет</a> 2k

  • Anonymous
    November 05, 2008
    I'm on a pc with both an Administrator and Limited User account. However the Limited User a/c has a blank password therefore as I understand it, this solution does not work. What alternative solution is there for me that functions like MakeMeAdmin but accepts a Limited User a/c with no password? I do have the Admin password. I just don't want the hassle of logging in and out and in and out... [Aaron Margosis]  It will probably work if you remove the restriction on blank-password local accounts.  Caveat is that you do increase your security risk by doing this.  Local Security Policy (secpol.msc):  Security Settings Local Policies Security Options; "Accounts: Limit local account use of blank passwords to console logon only".  Change from Enabled to Disabled.  Probably requires reboot.  Caveat again is that you do increase your security risk by doing this.

  • Anonymous
    November 23, 2008
    hi my 12 year old changed my admin password and now the only way we can use the computer is thro her restricted account ....is there a way to make her account admin with out the admin password....so i can get my account back.. thanx 4 all the help

  • Anonymous
    December 18, 2008
    How to del the temperary profile and log in to the normal administrator account.??? [Aaron Margosis]  Sorry - no idea what you're asking here...

  • Anonymous
    January 13, 2009
    need help : i was so confused for long time.. how to remove password while i plugged in a flashdisc on limited user? anybody know this .. help me please..

  • Anonymous
    February 03, 2009
    The comment has been removed

  • Anonymous
    May 22, 2009
    I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk). Is it possible trough MakeMeAdmin? How? Thank you.

  • Anonymous
    May 22, 2009
    I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk). Is it possible trough MakeMeAdmin? How? Thank you.

  • Anonymous
    May 22, 2009
    I would like to use the jkdefrag screensaver with administrative privileges (to defrag the system disk). Obviously I can't write the password every time the screensaver start Is it possible trough MakeMeAdmin? How? Thank you.

  • Anonymous
    May 22, 2009
    Sorry, I posted my question three times by mistake, plese remove the first two, thank you

  • Anonymous
    June 02, 2009
    When I enter the admin password correctly, then the user password incorrectly, it leaves the user setup as an admin. Is there a fix for this? I'd hate to accidentily leave a user as an admin because they mistyped their password.

  • Anonymous
    June 02, 2009
    Correction, this only happens if after mistyping the password instead of "pressing any key to continue" you instead close the dos window. Can we modify this to remove before "press any key" when the password is wrong? [Aaron Margosis]  Go ahead -- it's a .cmd file, so you can edit it with Notepad.  Might be easier just to add an ECHO statement saying "Press any key, DO NOT JUST CLOSE THE WINDOW."

  • Anonymous
    June 03, 2009
    The comment has been removed

  • Anonymous
    November 19, 2009
    The comment has been removed

  • Anonymous
    November 19, 2009
    Aaron, Thanks for the quick update.  I have moved the filed to C:MakeMeAdmin - I believe this is a shared location.  I have also tried C:Program FilesMakeMeAdmin.  I still get the same error.  Can you tell me what to check about 8.3 file names (not sure what that means) and what I should check for permissions?? Thanks [Aaron Margosis]  Just re-read your first... The rest of the error text for that error message is:  "Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced."  Are you sure both the admin and non-admin accounts have non-blank passwords?  Do you have logon hour restrictions applied, or is the admin account you're using disabled?  If your admin account is not called "Administrator", you need to change the script to use a different account name that has admin rights.

  • Anonymous
    April 19, 2010
    If you do like this it allows user accounts without password & it makes default owner group Administrators. When install is finished, it reverts default owner back to object creator: @echo off REM ******************************************************************** REM  This batch file starts a command shell under the current user account, REM  after temporarily adding that user to the local Administrators group. REM  Any program launched from that command shell will also run with REM  administrative privileges. REM REM  You will be prompted for two passwords in two separate command shells: REM  first, for the password of the local administrator account, and REM  second for the password of the account under which you are logged on. REM  (The reason for this is that you are creating a new logon session in REM  which the user will be a member of the Administrators group.) REM REM  CUSTOMIZATION: REM  The following values may be changed in order to customize this script: REM REM  * Prog  : the program to run REM REM  * Admin : the name of the administrative account that can make changes REM              to local groups (usu. "Administrator" unless you renamed the REM              local administrator account).  The first password prompt REM              will be for this account. REM REM  * Group : the local group to temporarily add the user to (e.g., REM              "Administrators"). REM REM  * User  : the account under which to run the new program.  The second REM              password prompt will be for this account.  Leave it as REM              %USERDOMAIN%%USERNAME% in order to elevate the current user. REM ******************************************************************** setlocal set Admin=%COMPUTERNAME%Administrator set Group=Administrators set Prog="C:mYAPP.EXE" set User=%USERDOMAIN%%USERNAME% if "%1"=="" ( runas /u:%Admin% "%~s0 %User%" if ERRORLEVEL 1 echo. && pause ) else ( echo Adding user %* to group %Group%... net localgroup %Group% "%" /ADD if ERRORLEVEL 1 echo. && pause echo. echo Allowing for blank passwords... reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 0 /f if ERRORLEVEL 1 echo. && pause echo. echo Starting program in new logon session... runas /u:"%" %Prog% if ERRORLEVEL 1 echo. && pause echo. echo Limiting blank passwords... reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v limitblankpassworduse /t REG_DWORD /d 1 /f if ERRORLEVEL 1 echo. && pause echo. echo Removing user %* from group %Group%... net localgroup %Group% "%*" /DELETE if ERRORLEVEL 1 echo. && pause reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v nodefaultadminowner /t REG_DWORD /d 0 /f color CA echo. echo. echo CLOSE THIS WINDOW AFTER INSTALL IS FINISHED!... echo. echo. pause reg ADD HKLMSYSTEMCurrentControlSetControlLsa /v nodefaultadminowner /t REG_DWORD /d 1 /f ) endlocal

  • Anonymous
    May 10, 2010
    Hi, I dont have admin password and my id not belongs to admin group, i need to put my id in adminstrator group, any idea? i tried make me admin but asking admin passwrd, Any idea? Really thanks

  • Anonymous
    June 13, 2010
    I forgot my password to my Admin. account, so im stuck with using limited. Does anyone know the easiest way to recover it back? Please msg me on myspace, if you have useful information.

  • Anonymous
    July 02, 2010
    it still asks for an admin password

  • Anonymous
    July 03, 2010
    This is a boon.  I needed to change power settings on a machine for a user without a local account who logs in via a domain, and this did the job.  Thank you, thank you.

  • Anonymous
    July 06, 2011
    The comment has been removed

  • Anonymous
    November 09, 2012
    Can this website make me a admin in graal online era

  • Anonymous
    December 17, 2012
    The comment has been removed

  • Anonymous
    December 17, 2012
    It's a bit messy - I can see that.  Sorry Have not cleaned up very well - but it works ;-)

  • Anonymous
    October 09, 2013
    is it possible to include the administrator password into the program? [Aaron Margosis]  No.  By design, RunAs.exe does not provide an interface for submitting a password.  It is designed to be used interactively rather than fully scripted.