The requested operation requires elevation
Hi all,
I have the following scenario:
- Default UAC settings, Win10 21H1
- DomainuserA is standard user (RDM is being opened with it)
- DomainuserB (credential entry) has admin rights on the machine
- I configure "command line (external application)" with "Inherited" credentials and Run As "current session"
- I set the "run as Administrator" Advanced checkbox
Requirements:
- I want to open SoftwareA (external application) as elevated DomainuserB in RDM
- I want to display SoftwareA embedded in RDM
When trying to open any .exe that I need to run as DomainuserB with elevation it gives me "The requested operation requires elevation" in an external window; when trying to run embedded I get "Unable to execute application xxx.exe"
Specific Example:
When using a CMD.exe with "run as admin" and DomainuserB the command "net session" I try to execute gives "Access is denied" as it needs to be elevated. This definitely shows that there is no elevation in progress!
Do I somehow config something wrong or is elevation for a different user & external app not working in general?
Thanks a lot!
All Comments (10)
Hello,
What version of RDM are you running?
If you run RDM as an administrator, is it working as expected?
Best regards,
Jeff Dagenais
Good morning,
Version is 2021.1.27.0 x64
As UserA has no admin rights, I need to enter UserB when starting RDM as admin.
If I do so and add a cmd.exe with UserB, and check "run as administrator" in advanced settings, behaviour is the same. There seems to be no elevation as I get "access denied" for "net session" for example...
Thanks
Hello,
Thank you for your quick reply!
In order to start RDM as UserB and have your administrator privileges in the application, I would recommend following the steps listed here:
https://kb.devolutions.net/rdm_running_rdm_as_another_user.html
After doing so, you should no longer experience these errors in RDM. Let me know if that works for you.
Best regards,
James Lafleur
Hey,
my goal is not to open RDM as UserB but to have elevated software opened in RDM.
Like mentioned elevation does not work either with "run as admin" checkbox in RDM or with opening RDM itself as a admin user!
As far as I know you can't "RunAs" & "Run As Administrator" in one step, you must do it in two steps, unless, of course, you are already elevated.
Even manually with cmd or PowerShell you must do in two steps.
So in RDM, you can do something like create a powershell session that is setup as "Run As" UserB then start a new process (PowerShell, Notepad, or whatever) using "-Verb RunAs" 
The result is two windows (in this case both are PS). The first gets embedded into RDM (run as UserB) the second not embedded (UserB elevated)
Edit: changed UserB for UserA
Edit 2: changed UserA for UserB :-)
Stéfane Lavergne
Hi and thanks for your help!
As far as I know you can't "RunAs" & "Run As Administrator" in one step, you must do it in two steps, unless, of course, you are already elevated.
If my windows user is not part of the admin group and I right-click any application with "run as administrator" and am prompted to type in a username & password I will be using this other user with elevation - both in one step.
Same with your command. Running "Start-Process powershell -Verb runas" gives me an UAC prompt where I enter my admin username, then I'm elevated with this user.
I'm aware workarounds exist, I already did something similar with runasspc and cmd.
So I can confirm this is working - however I find this is a sloppy workaround and still:
- Why does RDM include a "run as administrator" checkbox when this for me seems to not work for elevation? Is this a other functionality?
- The application - as indirectly started - will not be shown embedded which originally was one of the two requirement - see above
Thanks and best regards
Edit1: Disadvantage of the PowerShell way: The embedded PS session needs to be kept open for the external app to run.
Hi,
If my windows user is not part of the admin group and I right-click any application with "run as administrator" and am prompted to type in a username & password I will be using this other user with elevation - both in one step.
Same with your command. Running "Start-Process powershell -Verb runas" gives me an UAC prompt where I enter my admin username, then I'm elevated with this user.
In all honesty, I'm not sure how they pull this off other than it's two different processes but we don't realize it. The Windows API doesn't allow for it directly.
1 .Why does RDM include a "run as administrator" checkbox when this for me seems to not work for elevation? Is this a other functionality?
It works in some cases. For example, if you only want "run as administrator" with the existing user. RunAs + Run-As-Administrator is the issue here.
2. The application - as indirectly started - will not be shown embedded which originally was one of the two requirement - see above
When we start the process, we have the handle to the process so we can embed it. In the case of a second process (child) we don't have a handle to it in RDM to be able to embed it.
Best regards,
Stéfane Lavergne
Hi,
thanks for your help.
So far:
- you provide the option to "run as administrator" for external applications in RDM which is not working if the RDM-running user has no admin rights on the machine as
- elevation & different user credentials seem to not be supported by RDM
--> please either reconfigure the behaviour of the "run as admin" button or make sure this is working at all times
- when using the sloppy workaround approaches like above I just get an elevation UAC prompt to confirm - which is okay - but it will not be an embedded window - which was a requirement
Further findings from my side:
- running RDM itself elevated and then chosing "run as administrator" works as expected, it also shows "elevated" at the bottom status bar near the username
- also I found that the "run as admin" checkbox is greyed out for PowerShell if you select "None" within "Run As" tab but for "external app" this is simply not the case:
this is confusing...
- If you're interested: In Royal TS 5 if I chose "run elevated" then "Use credentials" automatically gets deselected. Which kind of makes sense but kind of is confusing when keeping in mind that in windows both at the same time is possible as mentioned
Outcome:
- I couldn't get any external application/PS/cmd to work elevated with another user in embedded mode
- "run as admin" and a different user looks to be not working. Didn't find any documentation on this - implementation would be greatly appreciated or else the behaviour of the "run as admin" button for non-admins should be changed as UI is not reflecting the actual behavior (at least not for external applications)
Not a big fan of the workaround (not embedded BUT better than nothing as I don't have to type in the password) and I still think "run as admin" behaviour in RDM is not self explanatory if your current user isn't an actual admin as of security prerequisites...
Thanks a lot!
Hello, I have the same issue - it is only possible via the workaround mentioned in post 2161.
Would it be possible to make this a little bit more integrated? I mean doing this "trick" automatically in the background without having the user to do it manually?
Brgds Andreas
I will add a task to investigate if we can get this working. I'm not optimistic.
Best regards,
Stéfane Lavergne