A utility for dual-personality users

If you have the Microsoft Windows NT Server Resource Kit or the Microsoft Windows NT Workstation Resource Kit, you know that it's full of great-sounding utilities. But figuring out some of those utilities can be a problem. This new column will explain what you can do with resource kit utilities. Every month, I'll highlight a utility, tell you what it does, and show you how to use it.

One utility worth figuring out is su.exe. It lets you start up a program under the guise of a different user.

When this Utility Is Useful
Suppose you're a network administrator in domain EARTH. You have two accounts on your network: CKENT and KALEL. One afternoon, you're logged on to your CKENT account, your ordinary user account, working on a monthly report in Word. A user calls and says he's forgotten his password and asks you to reset it for him. No problem. You start up the User Manager for Domains. You find his account and double-click on it, only to be told "Access Denied: the user properties cannot be edited or viewed at this time."

Then you remember you're logged on to your user account. So you'll have to shut down Word, log off CKENT, and log back on as KALEL, an account with administrative powers. But, you have a better idea: su.exe.

SU lets you start up the User Manager for Domains (or any other application) under the KALEL account, even if you're not currently logged on as KALEL. You can then change the user's password, exit the User Manager, and return to your Word document.

Step by Step
In its simplest form, an SU invocation looks like

su <name of account you want to use> <name of program>
   <domain of account>

In our example, all you have to do is open up a command line and type

su kalel usrmgr earth

SU will prompt you for the password for the KALEL account. Once you've entered the password, User Manager for Domains starts.

Suppose I have two user accounts, Mark (ordinary user account) and MarkA (administrative account), in domain ANDROMEDA. I'm logged on to my NT workstation as Mark and want to change my system's time. But, ordinary users can't change system times. To use the TIME command, I need a command line. So, I type

su MarkA cmd andromeda

I'm prompted for MarkA's password, I supply it, and I get a command prompt window. Then I can use the TIME command to change the computer's time.

What Can Go Wrong
SU is a neat utility, but you have to modify a user's rights before SU will work. If you just fire up a command line on a system that's installed with all default rights, the previous examples won't work. The CKENT account (the account running SU) must have two advanced user rights that NT users of all stripes don't have by default: Act as part of the operating system and Replace a process level token.

An administrator can easily give those rights to CKENT. So, before you try SU the first time, log on to your Windows NT machine with the administrative account—KALEL in this example—and open up the User Manager for Domains.

If you're running User Manager for Domains, you'll need to direct the User Manager to modify the rights granted on the machine you're working at. By default, the User Manager for Domains modifies the rights that domain controllers, not machines in general, grant. For example, suppose you have two domain controllers, D1 and D2, and three member servers, S1, S2, and S3, and you're at a workstation named W1. All are NT machines that are members of a domain. If you're sitting at W1 logged on as CKENT and want to run SU, then CKENT must have the Act as part of the operating system and Replace a process level token rights on W1. So, again, before CKENT can run SU, you'll have to log on to W1 with an administrative account to grant CKENT those rights.

If you're using User Manager for Domains, you click User/Select Domain and type in W1. (Yes, W1 is a machine, not a domain, but that's how you control W1's rights.) Now click OK. But if you're just sitting at W1 and running the simple User Manager, you don't have to click User/Select Domain. Then click Policies/User Rights, and check the box labeled Show advanced user rights. Select Act as a part of the operating system and add CKENT's name. Do the same for Replace a process level token. CKENT can now run SU. Happy NT schizophrenia!

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.