Can Active Directory Users and Computers RSAT tool be configured to prompt for password at launch?

KjstechO365 81 Reputation points
2021-01-20T20:26:13.473+00:00

We all know that the RSAT tool Active Directory Users and Computers will allow a "user" to run it and view everything and the security doesn't kick in until you try to do something in it (create an account, reset passwords, move or delete items, etc...). Now we don't really have a concern with a regular user installing the tool and poking around because our users have no rights to install programs themselves. However on our IT workstations a lot of us have ADUC either pinned to the taskbar or start menu for ease of access. However there are times where I accidently just click the icon and I'm down in the tree like 8 layers deep until I realize I can't do something becuase I just opened the icon rather than right clicked it and selected Run as Administrator. Is there any way to configure the ADUC yellow book icon to just automatically pop up a password prompt, much like if you were to try to access a c$ share or RDP to something? That way we could just regularlly click the icon in the start menu or taskbar and then the screen could dim and show us the prompt for username and password, and we could fill in our administrator username and credentials there. We don't run our day to day systems as a Domain admin. Even us in IT have a second user account for admin stuff so if I'm online posting this message its my regular account, but if I run an MMC tool or need to move files behind the scenes and access administrative shares, I use a second administrative ID assigned to me.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,002 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
423 questions
{count} votes

Accepted answer
  1. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-01-21T02:20:23.227+00:00

    Hi,

    Here is a method for your reference:

    Restrict the ADUC snap for regular domain users through Group Policy :

    Navigate to User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins
    Select ADUC and set it to disabled as following:
    58885-1211.jpg

    Then update the group policy for users when they login by command :gpupdate /force

    After the group policy was applied, it will be prevented when they run ADUC:
    58886-1212.jpg

    When the user need to run aduc as administrator, you can click the ADUC and run as administrators, it will show as :
    58898-1213.jpg
    Then enter the administrator name and password , the ADUC can be run as you expected.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Dave Patrick 426.2K Reputation points MVP
    2021-01-20T20:37:21.807+00:00

    This one may sort it.
    https://www.howtogeek.com/124087/how-to-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator/

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. KjstechO365 81 Reputation points
    2021-01-20T21:05:05.287+00:00

    Well I don't want to save credentials, just a pop up is fine, so I tried this in the run box without /savecred. I think if it would work there it should work as a shortcut...

    runas /user:domain\myadminuseracct %SystemRoot%\system32\dsa.msc

    A command line box comes up (sadly not a windows ui) and I type in my password there, no way to tell what im typing, it doesn't even star or blank out, and obviously there's no eyeball icon to reveal and ensure its right, but I entered it and hit enter, the command window goes away but then nothing happens.

    Part of the problem I think is that these tools are not EXE files. They are .msc files. dsa.msc is Active Directory Users and Computers.

    I'm surprised after all these years, like over 21 years at least (thinking of Active Directory's debut in Windows 2000), Microsoft never accommodated this.

    0 comments No comments

  3. Dave Patrick 426.2K Reputation points MVP
    2021-01-20T21:36:52.203+00:00

    Still should have worked. Check Task Manager\Details\Elevated

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  4. KjstechO365 81 Reputation points
    2021-01-26T01:49:36.607+00:00

    FanFan, this is great way to limit non admins from
    Even opening the snap in. That way it won’t load if I forget to click the special “run as administrator” right click, so I don’t waste time drilling down and then realizing my mistake. That’s fantastic, thanks!

    0 comments No comments