RunAs / RunAsWait problem on server 2012R2 [SOLVED]

[Rex]

Hi

I created a login script for our old server witch had server 2008, and the script worked flawless

Now we have upgraded to server 2012, and the script stopped working correct.

For some reason my Run/RunAs/RunAsWait functions don't work, or some of them don't work

Run('D:\Admin.exe') don't work, the Admin.exe is newer executed, and the user have execute rights to D:

RunAs($sUsr, @computerName, $sPass, 0,'C:\Program Files (x86)\Admin.exe) Lunches Admin, but not with admin rights

Admin.exe contains

If Not IsAdmin() Then
    MsgBox(262144,"ADMIN","Isn't admin")
Else
    MsgBox(262144,"ADMIN","Is ADMIN")
EndIf
Exit

And should show Is Admin, when executed with admin rights, as far i under stand

Even if I do a RunAs @comSpec it's not executed as admin

I also have tried to compile the excamples from runas and runaswait, neither of them worked with admin rights

Any one have a suggestion on what might be the problem, I have disabled UAC - and if i Right click and choose RunasAdmin with the user name/password it works, so shouldn't be because of wrong username/pass, als the secondary logon service is running.

 

Cheers
/Rex

 

:Edit additional info

Edited November 29, 2017 by Rex

[EmilyLove]

Does #RequireAdmin help at all? It would help us if you could show us what you have so far so we can see where and how your script breaks.

[Rex]

@BetaLeaf My script breaks at the very first RunAS command I have.

 

RunAsWait("UserService", @ComputerName, "!PASS!", 0, '"C:\Program Files (x86)\UserService\Admin.exe"')
RunAsWait("UserService", @LogonServer, "!PASS", 0, '"C:\Program Files (x86)\UserService\Admin.exe"')
RunAsWait("UserService", @LogonDomain, "!PASS!", 0, '"C:\Program Files (x86)\UserService\Admin.exe"')
RunAs("USerService", @ComputerName, "!PASS!", 0,@comspec&" /c rd C:\Windows\Temp")
Run('"C:\Program Files (x86)\UserService\Admin.exe"')

This is what I have in my login script for now, and non of them works

 

Cheers
/Rex

[Jos]

As suggested already: So what about adding the #requireAdmin as suggested or setting the compiled script's requestedExecutionLevel ?

Jos

[Rex]

@Jos

It's a logon script that is run at user logon thru group policy, so adding #requireAdmin won't work ad the script is run with the users privileges, I don't know how to set the requestedExecutionLevel

 

Cheers
/REx

[Jos]

Either way, when the UAC is enabled, you will get a prompt when the requireAdministrator  level is needed. This has nothing to do with being a user or Administrator. Maybe some reading up on this is the first thing you need to do,

Jos

[Rex]

@Jos

UAC is disabled, but yes if it wasn't then the user would get a prompt - but the script is designed (the old script that worked flawless on server 2008) to run with out user interference, one of the things the script doe's is to move the user profile to another drive, and setting up some services.

 

Cheers
/Rex

[EmilyLove]

You can skip the uac prompt by setting this program as a scheduled task. May also help with the admin issue.

[Rex]

@BetaLeaf I will try that

How ever it still don't cast any lights on why the runas don't work in server 2012, when it did in Server 2008

 

Cheers

/Rex

[EmilyLove]

I'm sorry, what? What lights? Do you mean the disk activity led on the case of the pc?

Edited June 19, 2016 by BetaLeaf
Omg I didn't mean to type that. It was a typo. Sorry.

[Rex]

@BetaLeaf LOL

There must be some reason on why the runas don't work on server 2012 - but I haven't found any answers on google

 

Cheers
/Rex

[EmilyLove]

1 minute ago, Rex said:

@BetaLeaf LOL

There must be some reason on why the runas don't work on server 2012 - but I haven't found any answers on google

 

Cheers
/Rex

Oops lol that was a typo. 

[Rex]

An update

Soo I have tried again and again, and it seems that it's somehow connected to my admin user - if I use administrator in runas, it works like it should - but using my service user, witch is a administrator, runas don't work ??

So now I need to find out why one admin user works and another don't

Cheers
/Rex

[EmilyLove]

Most users are assigned to multiple local groups. Run this command in command prompt as admin:

Net user admin

Change admin to whatever the name of your admin accounts are. Compare the two users. You can change local groups with this command

Net localgroup group admin /add

Net localgroup group admin /delete

https://technet.microsoft.com/en-us/library/bb490706.aspx

[Rex]

Both administrator and my service user are in the same group, according to net user @Username

And if i run my Admin.exe from the service user - it tell me that it's runned with admin priv.

 

Cheers
/Rex

[EmilyLove]

I don't know thenothing. Sorry I cannot help you further. I hope someone else will be able and willing to help. Have a good one.

[Rex]

@BetaLeaf

Thx for the help so far

Yeah I also hope that some one can come with some input on why the main admin account works in runas, when other admin accounts don't.

But it seems that MS has made some radical changes on the security part in server 2012.

 

Cheers
/Rex

[AdamUL]

Are you compiling as 32 or 64 bit?  This could be causing an issue.  

 

Adam

 

[Rex]

@AdamUL

I have tried both 32 and 64, but current I use 32, course most of the operations I need is 32bit

 

Cheers
/Rex

[lascellk]

I have confirmed the same behavior in Windows 10.  I am able to call my test EXE (with the same IsAdmin code) using RunAsWait and I can see it is running under the context of the admin account I am want to use.  However, it is not running elevated....same issue.  This same code worked fine on Windows 7 x86/x64.

 

Has anyone seen this issue on Win10?