Two Security Add-ons

If you typically log on to your system by using a regular user account, you probably sometimes need to have Power User or Administrator privileges in the domain to perform necessary actions. Sometimes gaining the required privileges can be cumbersome, depending on your needs. You can accomplish the temporary elevation of privileges by using the RunAs command manually, but there's a much quicker way.

Aaron Margosis wrote a useful add-on command script for Windows that can help you with running applications in a higher security context. His script MakeMeAdmin automates the process of using the RunAs command to elevate your privileges. The script performs three actions: Adds your current user account to the local Administrators group, launches a command shell and any other application you want to run, then removes your account from the local Administrators group.

You can read an explanation of scenarios in which MakeMeAdmin might come in handy at Margosis's Web log (blog) at the first URL below. You can download a copy of MakeMeAdmin (in a .zip file) at the second URL below. The .zip file also contains a second script, MakeMePU, which elevates your privileges to the Power Users group instead of the Administrators group.

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

http://www.speakeasy.org/~aaronmar/NonAdmin/MakeMeAdmin.zip

Another useful tool developed by Margosis is PrivBar for Windows Explorer and Microsoft Internet Explorer (IE). PrivBar helps you see what security context a particular instance of Windows Explorer or IE is running under. When you install PrivBar, a toolbar is added to both those applications. The toolbar displays the domain and username as well as the group that the account belongs to. The toolbar is color-coded to grab your attention when you run an instance under a highly privileged account, such as an account in the Administrators group.

According to Margosis, "PrivBar shows you roughly what your privilege level is by checking the current process' token for membership in Administrators, Power Users, Users, or Guests. The circle on the bar will be red if you are in Administrators, yellow if you are Power User, green otherwise. If you are an admin, the bar's background will be yellow. Finally, if that instance is running with a restricted token (e.g., by using the RunAs dialog's "protect my computer" option, ...), the circle will be green with a red line through it. (... PrivBar uses the CheckTokenMembership API, so yes, it properly takes into account disabled or deny-only SIDs.)" You can read about the tool and see screen shots of it at the first URL below and download it at the second URL.

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/195350.aspx

http://www.speakeasy.org/~aaronmar/NonAdmin/PrivBar.zip

If you're a developer interested in the CheckTokenMembership API, you can learn more about it at the Microsoft Developer Network (MSDN) Web site.

http://msdn.microsoft.com/library/en-us/secauthz/security/checktokenmembership.asp