[unisog] Admin Password Management

Michael Holstein michael.holstein at csuohio.edu
Wed Feb 23 13:47:54 GMT 2005


> Runas is a replacement for su, not for sudo- with runas you need to enter
> the administrative password, and can then run any command as root.

More correctly, Runas allows you to run any command as ANY user (not 
just 'administrator'. Correct use of GPO to manipulate the local 
security policy will allow you to setup rights to do whatever you're 
after (be it create backups, shutdown the machine, etc.).

In reality, you shouldn't need 'runas' at all .. just setup groups for 
whatever role you're trying to establish and then use that domain group 
as above to permit access to the function which the particular admin 
requires.

Be careful with some roles (like run as service) because those can be 
used for privilege escalation in said admin is clever enough.

Cheers,


Michael Holstein CISSP GCIA
Cleveland State University



More information about the unisog mailing list