Can Active Directory Users and Computers RSAT tool be configured to prompt for password at launch?

Question

We all know that the RSAT tool Active Directory Users and Computers will allow a "user" to run it and view everything and the security doesn't kick in until you try to do something in it (create an account, reset passwords, move or delete items, etc...). Now we don't really have a concern with a regular user installing the tool and poking around because our users have no rights to install programs themselves. However on our IT workstations a lot of us have ADUC either pinned to the taskbar or start menu for ease of access. However there are times where I accidently just click the icon and I'm down in the tree like 8 layers deep until I realize I can't do something becuase I just opened the icon rather than right clicked it and selected Run as Administrator. Is there any way to configure the ADUC yellow book icon to just automatically pop up a password prompt, much like if you were to try to access a c$ share or RDP to something? That way we could just regularlly click the icon in the start menu or taskbar and then the screen could dim and show us the prompt for username and password, and we could fill in our administrator username and credentials there. We don't run our day to day systems as a Domain admin. Even us in IT have a second user account for admin stuff so if I'm online posting this message its my regular account, but if I run an MMC tool or need to move files behind the scenes and access administrative shares, I use a second administrative ID assigned to me.

Answer 1

Hi,

Here is a method for your reference:

Restrict the ADUC snap for regular domain users through Group Policy :

Navigate to User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins
Select ADUC and set it to disabled as following:

Then update the group policy for users when they login by command :gpupdate /force

After the group policy was applied, it will be prevented when they run ADUC:

When the user need to run aduc as administrator, you can click the ADUC and run as administrators, it will show as :

Then enter the administrator name and password , the ADUC can be run as you expected.

Answer 2

This one may sort it.
https://www.howtogeek.com/124087/how-to-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator/

--please don't forget to Accept as answer if the reply is helpful--

Answer 3

Well I don't want to save credentials, just a pop up is fine, so I tried this in the run box without /savecred. I think if it would work there it should work as a shortcut...

runas /user:domain\myadminuseracct %SystemRoot%\system32\dsa.msc

A command line box comes up (sadly not a windows ui) and I type in my password there, no way to tell what im typing, it doesn't even star or blank out, and obviously there's no eyeball icon to reveal and ensure its right, but I entered it and hit enter, the command window goes away but then nothing happens.

Part of the problem I think is that these tools are not EXE files. They are .msc files. dsa.msc is Active Directory Users and Computers.

I'm surprised after all these years, like over 21 years at least (thinking of Active Directory's debut in Windows 2000), Microsoft never accommodated this.

Answer 4

Still should have worked. Check Task Manager\Details\Elevated

--please don't forget to Accept as answer if the reply is helpful--

Answer 5

FanFan, this is great way to limit non admins from
Even opening the snap in. That way it won’t load if I forget to click the special “run as administrator” right click, so I don’t waste time drilling down and then realizing my mistake. That’s fantastic, thanks!