Command Line (External Application) "requires elevation" prompt
Command Line (External Application) "requires elevation" prompt
I have a strange behaviour with this session type. We have users for our support and our admin team that have specific permissions in Active Directory. Support users have delegated permissions to specific objects only, the admin team has account operator permissions. We have mmc´s configured for them and we try to start them with the mentiones sesson type.
Display: external
Credentials: Vault
Run: "C:\Windows\System32\mmc.exe"
Arguments: "\\server\share\folder\xxx.msc"
Run As: Current Session
When I do this with the delegated AD Support account, the mmc starts withour a problem.
When I just switch the account to a admin team account (which is Account Operator in AD), I get this error message:
The second line just says, that this requires elevated permissions. But why?
If I change the settings to this, I get the mmc in the context of the admin team account, without the error message!
Display: external
Credentials: Vault
Run: "C:\Windows\System32\mmc.exe"
Arguments: ""
Run As: Current Session
And when i open the msc file from the argument manually, it opens without a problem and everything works as it should.
I am really not sure how this is related to RDM or not, but also when I just start "cmd" it works with this admin team account and the cmd is running in the correct context. Then I can do mmc and open the msc file, without a prompt that elevation is needed.
Brgds Andreas
All Comments (2)
I think I found the "problem". Some Applications really want to elevate...
Run application without elevation ('Run As Administrator') (nirsoft.net)
I don´t understand why this depends on the user account used, but when I do
Run: cmd /c "set __COMPAT_LAYER=RunAsInvoker && C:\Windows\System32\mmc.exe"
Arguments: "\\server\share\folder\console.msc"
or
Advanced, Force "cmd /c" checked
Run: set __COMPAT_LAYER=RunAsInvoker && C:\Windows\System32\mmc.exe
Arguments: "\\server\share\folder\console.msc"
the mmc starts with the admin team account without a prompt.
The disadvantage of this is, that the cmd stays open. I have another ticket open for PowerShell with a similar "problem" (Hide PowerShell window (devolutions.net)), but I think it is easier to hide the PowerShell window. Because with PowerShell I don´t have the elevation issue...
Or do you have an idea to make this work for "Command Line" sessions also?
Brgds Andreas
Hello Andreas,
Thank you for contacting us on that matter!
Given the information you have provided us, I have to agree with you that doing this with PowerShell seems more convenient. Once the change you requested in https://forum.devolutions.net/topics/38072/hide-powershell-window#166543 is added, you will be able to hide the window.
Best regards,
James Lafleur
