Microsoft Remote Server Admin Tools & RDM
Hi Devolutions Team,
I'm hoping you may be able to provide some guidance / point out what I'm doing wrong.
Context: Our organization has multiple Active Directory domains, none of which are managed by general-staff accounts (ie: Accounts tied to emails), each admin/tech which is performing a task which requires more permissions than general-staff, also has a privileged account. Furthermore, we try (whenever possible) to only provide admin access via Remote Server Admin Tools (RSAT) or application-specific remote tools (such as MS-SQL Management studio or MySQL Workbench) rather than providing access to the servers directly.
I'm currently working on building our various templates for the different server/application types and am getting stuck with RSAT tools. For our Group Policy Management, I added the following;
Working Directory: C:\Windows\System32
Command: mmc gpmc.msc
Credentials: Inherit
RunAs: Use session credentials
Execution Mode: Attempted every possible combination (see below)
From what I can tell, if using “Run As Administrator” (which is disabled when “RunAs session credentials” is used), everything behaves correctly – gpmc.msc launches as expected. Unfortunately given our requirement to run as a separate user, this won’t work.
I’ve also tried different combinations using cmd /c, start, & runas (commands) but was unable to get any of them to work correctly.
Am I trying to do something which isn’t supported/doable?
I’m not sure if this is even possible but does Devolutions have any intention of natively supporting mmc applications as a session type? IE: Provide path to *.msc and it will launch embedded in RDM?
Thanks again for all your help during our pilot project,
Mike
All Comments (5)
Michael,
Great question. The implementation of "Run As Administrator" for the most part uses the builtin .Net functionality which has some limitations. We have however started an implementation that uses the native Windows method calls for "Run As Administrator" support in RDM. This is not yet wide spreed across all "Run As Admin" tools/sessions. We have it on our to-do list, I've bumped the priority of the feature request and will try to implement your particular situation first.
Are you using tools session? Sub Connection? I would be very helpful if you could export (no credentials) a sample session/template. You can send them via private message or email slavergne[@]devolutions.net.
As for native embedded mmc session tool type. Great idea. We will add it to our to-do list and see what can be done.
Best regards,
Stéfane Lavergne
Hi Stefane,
I certainly can, however I'm stuck putting out some fires with our infrastructure at the moment. I will respond with a few templates, and explainations of what we're looking to achieve, as soon as I have time to circle back to RDM - might not be until tomorrow.
Thanks again for your response and help,
Mike
For anyone else running into a similar issue, I managed to find a work-around. use the following command to launch RDM;
runas /netonly /user:%remoteActiveDirectoryDomain%\%RemoteUsername% RemoteDesktopManager.exe
The command uses your current windows user to launch RDM, but will use the provided credentials for any network-sessions (ie:spoofs Windows credentials for remote-connections).
edit: This assumes;
Connecting to a remote computer, on a domain which isn't trusted by your local domain
OR
Connecting to a remote computer with a user other than your current windows user
AND
Session relies on Windows-authentication (Domain/kerberos)
AND
The RDM session "Run command" config for Runas is disabled
Mike
Hi Mike,
The next build will have NetOnly capabilities built-in with CMD Session and CMD Tools. This should allow you to run RDM normally and still run your mmc consoles with network credentials.
I've tested with SQL Server Management Services (SSMS) and all worked as expected, I couldn't get the server tools to work on my development machine for testing.
I will let you know when the new build is out so you can give it a try and let me know what you think.
Best regards,
Stéfane Lavergne
1-25-2016 4-06-28 PM.png
1-25-2016 4-05-57 PM.png
Hi Stefane,
Thats great, I look forward to trying it out. I'm currently running several projects so likely won't be able to invest time into RnD until mid-Feb but I will test it out as soon as possible.
Thank you for all your work on this and the prompt addition this feature.
Mike