My coworker is trying to register some COM components (which I wrote) via RegAsm.exe and it says he needs Administrator privileges. His account has admin privileges but he is not logged in as Administrator. Is there a way to use his regular user account and succeed at this task?
I work in an environment/jurisdiction where giving local admin access to all users is simply not possible (legal/compliance/regulations will not allow).
It appears there is no equivalent of this function in .NET world: AtlSetPerUserRegistration
Try this: Using regasm, generate the registry entries with /regfile argument. By default, registry entries should use HKEY_CLASSES_ROOT (HKCR) as a root. Modify the entries (manually, or by script) to use HKEY_CURRENT_USER (HKCU).
Finally, distribute your .NET DLL with the registry script. You can still run regedit without admin rights to register your .NET DLL. Manually from the command line, using a batch file, or a (tiny) separate installation program can handle the registration.
Admin privileges are required to allow Regasm.exe to update the registry. If this is a UAC restriction then create a shortcut on the desktop for cmd.exe and check the "Run this program as an administrator" checkbox. Or change this setting on the Visual Studio Command Prompt shortcut, that's easier.
I think this question belongs elsewhere, but Windows uses least privilege so if he is a user that is both a normal user and an Administrator than he gets normal user privileges. Use runas to make this work or right click the item and "run as administrator"
Why don't you use registration free com? Its only been supported since 2003 and obviates the need for UAC / administrative access to install COM components.
With RegFree COM you can just bundle the COM dlls with the application that uses them as a private assembly - but that doesn't mean they can't be properly installed - either in the registry or in WinSxS by the final deployment install.exe/msi
Subtext wrt the actual query: no - COM registration is in the HKEY_LOCAL_MACHINE key that always requires administrative access.
I lied: Actually you can. If you create a application with no manifest at all, Windows deduces that its an XP era application that expects administrative access to run and will activate a compatibility mode that, amongst other features, redirects write access to HKLM to a writable location under HKCU. So the COM component registration "succeeds" - but is registered for the current user only.
Im not sure why the ability to register for just the current account isn't supported generally outside the compatibility framework.
Check this out: https://gist.github.com/florentbr/6be960752fc852ee99eece6b4acb8ba7
I was trying to do the same thing and was about to give up when I came upon it.
It's a cmd script that will register the SeleniumBasic.dll in the registry without having admin privileges. With a bit of work you should be able to repurpose the code to register your COM components.
Many, many thanks to Florent Breheret for SeleniumBasic and this cmd script to register it!
I am logged into an account that has Administrator privileges. But RegAsm.exe still says it needs Administrator privileges.
[From some notes I have for Windows 2008 R2. Confirm on other Windows operating systems that support UAC. The following assumes that you are permitted to make changes to the Local Security Policy. ]
In its default configuration, User Account Control (UAC) settings give the local Administrator full privileges, but restrict the privileges of other members of the Administrators group. To lift the UAC restrictions on other members of the Administrators group, do the following:
Select Start -> All Programs -> Administrative Tools -> Local Security Policy.
Select Local Policies -> Security Options.
In the right panel, double-click the third entry from the bottom which reads User Account Control: Run all administrators in Admin Approval Mode.
Click Disabled.
Click OK to close the dialog and close the Local Security Policy configuration tool.
Reboot the computer to complete this change to the UAC settings.
Related
I have a CA that runs deferred without impersonation in InstallExecuteSequence after PublishProduct.
This CA uses windows impersonation to change context to a local administrative user where the credentials are for queried using a dialog for user input. The elevated requirements are meet, the context is changed and other tasks are performed, however when I try to open a subkey made by the installer for write access in HKLM\SYSTEM\CurrentControlSet\Services\NameOfService\MySubKey, I get an exception related to insufficient access. However I can open for read though?
At this point the service has been installed, the key has been created and other values have been written. The context I am using to modify it is a member of the local Administrators group and the session is elevated as per requirements of the other tasks?
Is this a caveat of the windows installer environment?
For whatever reason, exiting the impersonation back to LocalSystem resolved this. Likely an issue with elevation.
I want to install a TeamCity BuildAgend as a user. When entering my user credentials here:
I always get this error:
NOTE: My account (user) is Administrator with full permission!
How can I do this?
The error message says it does not have "enough rights to run as a service",
this is slightly different from just being an administrator.
Go to Control Panel> Administrative Tools> Local Security Policy.
Select Local Policies> User Rights Assignment.
Scroll down through the list of policies and look for Log on as a service.
Add the account you're using to the list of accounts with this right.
That should in theory be all you need to allow the service to run under that user.
The best powershell command that I have found for this is:
Grant-Privilege -Identity $SERVICE_USERNAME -Privilege SeServiceLogonRight
Requires use of the Carbon framework.
I'm a Windows 10 Home user and the steps above did not work for me, but the following did:
Enable gpedit.msc by running the batch file as explained here under Method 1: https://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/
Run gpedit.msc
Go to Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
Double-click Log on as a service
On the window that appears, click Add User or Group...
Enter your username and click the Check Names button
Your name will be modified, adding the machine name as the prefix. Click OK
Click OK on the Log on as a service Properties window to apply the change.
It is a little bit of a pain, but after doing that, I was able to continue installing TeamCity
I'm writing a script that periodically checks that certain services are running on remote workstations. I'm having a devil of a time getting an "SC \workst1 query" command working from one test machine to another. Both machines are running XP pro SP3. Neither is part of a domain. Both are in the same workgroup, and the administrator accounts have the same passwords.
I keep getting the "[SC] OpenSCManager FAILED 5: Access is denied" message, from either workstation to the other. I have tried using elevated privileges on both. Windows firewall software is turned off. There are no messages are showing up in the Event security logs. When (as administrator) I try going to "Computer Management" -> "connect to another computer" and access the remote services I get "Error 5 Access is denied".
I can set up a filesystem share between the two machines successfully, and "net use \workst1\IPC$ /user:Administrator" completes successfully, but the SC query still fails. I'm using IP addresses and not hostnames in these commands, but that doesn't help. I don't know what else to try. Thanks for the help.
Try to run the commans as a Administrator
start-> (type cmd in search box), right click on cmd, Run as a administrator -> execute your command
You must have administrative rights on the remote machine.
Moreover you must access the drive before calling "sc".
This can be achieved in command line using
net use \\remotemachine\admin$ <password> /user:<username>
admin$ is a hidden shared drive accessible to administrators that "sc" uses to control services.
I was having the same issue today trying to check if a service is enabled remotely.
I could solve the issue modifying the User Account Control for remote restrictions in windows:
To disable UAC remote restrictions, follow these steps:
Click Start, click Run, type regedit, and then press ENTER.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
If the LocalAccountTokenFilterPolicy registry entry does not exist,
follow these steps:
On the Edit menu, point to New, and then click DWORD Value. Type LocalAccountTokenFilterPolicy, and then press ENTER.
Right-click LocalAccountTokenFilterPolicy, and then click Modify. In the Value data box, type 1, and then click OK.
Exit Registry Editor.
More information about this solution in this site.
Your user should be remote, from Manage and Local users and groups
The UAC issue is obvious you have to pull down the lever for UAC setting
Also while installing the services you can use the following command
SC create SERVICENAME DisplayName= "DISPLAYNAME" binPath= "PATH OF EXE" start= disabled type= share
I have an Okuma OSP Machine Controller running Windows XP.
By default it attempts to automatically log on when the machine is turned on.
We have changed the default administrator password and now the auto-log on fails every time.
How can I turn off this feature or update the password so that it succeeds?
Machine Types Effected: Any machine with P200 or P300 control running Windows-XP
4/1/2014: Confirmed the same applies to new OSP-300 Windows 7 controls
2/1/2015: There is another (easier) way to accomplish this on Okuma controls.
This can be done using a utility in the TOOLS directory called the "Auto Logon Setting Tool". This is perfect for anyone uncomfortable with editing the registry.
Tool location:
The utility:
Just choose the user you wish to to be logged on automatically, and click the "Register auto log-on" button.
This feature is enabled from the factory to allow users to get up and running quickly while still having the machine password protected. Because it is recommended to change the default password this is most likely a very common situation.
The automatic login behavior can be changed by editing registry settings.
Click Start, type "regedit" (sans-quotes) in the run box, and press enter.
In the folder structure in the left pane, navigate to the following folder:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
To turn the feature OFF, change the key value of "AutoAdminLogon" to '0'
Similarly, the default user name and password can be changed by editing the appropriate keys to restore the functionality of the auto login feature.
Reference Microsoft Support article here.
Is there a way in SQL Server Management Studio 2005 (or later) to change the Windows Authentication user (as you could in SQL Server 2000 and older)?
This is the general connection properties dialog(note the greyed out UID/PWD when selecting Windows Auth):
FYI - One workaround is to use runas but I'm looking for a solution that will allow me to work with multiple Windows accounts across multiple servers (and across multiple domains).
While there's no way to connect to multiple servers as different users in a single instance of SSMS, what you're looking for is the following RUNAS syntax:
runas /netonly /user:domain\username program.exe
When you use the "/netonly" switch, you can log in using remote credentials on a domain that you're not currently a member of, even if there's no trust set up. It just tells runas that the credentials will be used for accessing remote resources - the application interacts with the local computer as the currently logged-in user, and interacts with remote computers as the user whose credentials you've given.
You'd still have to run multiple instances of SSMS, but at least you could connect as different windows users in each one.
For example: runas /netonly /user:domain\username ssms.exe
Hold shift and right click on SQL Server Mangement studion icon. You can Run as other windows account user.
One other way that I discovered is to go to "Start" > "Control Panel" > "Stored Usernames and passwords" (Administrative Tools > Credential Manager in Windows 7) and add the domain account that you would use with the "runas" command.
Then, in SQL Management Studio 2005, just select the "Windows Authentication" and input the server you wanna connect to (even though the user that you can see greyed out is still the local user)... and it works!
Don't ask me why ! :)
Edit:
Make sure to include ":1433" after the server name in Credential Manager or it may not connect due to not trusting the domain.
None of these answers did what I needed:
Login to a remote server using a different domain account than I was logged into on my local machine, and it's a client's domain across a vpn. I don't want to be on their domain!
Instead, on the connect to server dialog, select "Windows Authentication", click the Options button, and then on the Additional Connection Parameters tab, enter
user id=domain\user;password=password
SSMS won't remember, but it will connect with that account.
The runas /netonly /user:domain\username program.exe command only worked for me on Windows 10
saving it as a batch file
running it as an administrator,
when running the command batch as regular user I got the wrong password issue mentioned by some users on previous comments.
For Windows 10:
Go to the Sql Management Studio Icon, or Short Cut in the menu:
Right Click > Select Open File Location
Hold Shift and right Click the shortcut, or ssms.exe file that is in the folder. Holding shift will give you an extra option "Run as different user":
This will pop up a login box and you can type the credentials you would like your session to run under.
A bit of powershell magic will do the trick:
cmdkey /add:"SERVER:1433" /user:"DOMAIN\USERNAME" /pass:"PASSWORD"
Then just select windows authentication
There are many places where someone might want to deploy this kind of scenario, but due to the way integrated authentication works, it is not possible.
As gbn mentioned, integrated authentication uses a special token that corresponds to your Windows identity. There are coding practices called "impersonation" (probably used by the Run As... command) that allow you to effectively perform an activity as another Windows user, but there is not really a way to arbitrarily act as a different user (à la Linux) in Windows applications aside from that.
If you really need to administer multiple servers across several domains, you might consider one of the following:
Set up Domain Trust between your domains so that your account can access computers in the trusting domain
Configure a SQL user (using mixed authentication) across all the servers you need to administer so that you can log in that way; obviously, this might introduce some security issues and create a maintenance nightmare if you have to change all the passwords at some point.
Hopefully this helps!
Did anybody tried "plain" runas without parameters? Those /netonly /savcecred all of them sound ambiguous and to me utter nonsense.
C:\Windows\System32\runas.exe /user:DOMAINX\OtherUser02 "C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\ssms.exe"
This works just fine. No matter what, runas WILL ask you for the user password. Just type it and be security audit compliant.
The only way to achieve what you want is opening several instances of SSMS by right clicking on shortcut and using the 'Run-as' feature.