I've been trying to find a good way to audit changes made to a system by an application or console that is running under different user credentials with the RunAs command. If I were to use the RunAs command to run the Computer Management console as an administrative user, any changes made to groups, services started/stopped, etc. are logged as the user that I am running the application under, but the user that is actually logged on to the workstation is not logged in any way that I can see. Here's an example to make things more clear: I am logged on to my Win7 workstation with an AD user account called "Matt". This is a standard user account and doesn't any administrator privileges. I need to add a user to the local Administrators group on a server. In order to do so, I use the RunAs feature in Windows to run the Computer Management console as a user called "Admin" that has Administrator privileges on that server. I may use a shortcut with the following command to do this: %windir%\system32\runas.exe /user:Admin@domain.local "mmc compmgmt.msc" Now, with the Computer Management console running under the user called "Admin" I can add a user to the local Administrators group on that server. This change is logged in the Security log on that server and I can see that the "Admin" account made the change. My problem is that when this type of change is made, the Security log in Windows only seems to log the "Admin" user that the console is running under and not the "Matt" account that I am logged onto my workstation with. Is there any way to log both the "Matt" account that I am logged on with, as well as the "Admin" account that the console is running under? I've been searching around for information on how to do this but I can't find anything on the web. Maybe I'm just missing something, but if anyone can give me a hand, I would really appreciate it. Let me know if anything doesn't make sense or if you have any questions about what I'm trying to do. Thanks for the help!/Matt

Hi, You may enable the “Audit logon events”. In this way, you can check who logged onto the computer before the “admin” account made the change. In addition, please remember that it is not recommended to grant untrusted users the administrative privilege. Allowing everybody to run compmgmt.msc as Administrator means that you grant everybody the administrative privilege. This posting is provided "AS IS" with no warranties, and confers no rights.

To start, I just want to note that this isn't specific just to compmgmt.msc, but rather this could be any application. I simply used that console as an example since it is used frequently. What I'm looking for is to be able to track changes made when a user is using RunAs. It's not that they are untrusted, but for audit requirements we are supposed to be able to track all changes made and the user who made those changes. I haven't found a good way of doing this when running an application under alternate credentials using RunAs. The logs always seem to report the user that you are running the application under and not the user you are logged on as. Is there no better way of doing this than to audit the logon events and look for Seclogons? That would entail correlating events between the logon event of the standard user account, followed by a seclogon by the admin account, and then tracking all changes between the seclogon and a logoff event. Correct me if I'm wrong... I thought that it may be possible to script something like that and correlate the events using some third party apps, but in my opinion, this information should already be available just by looking at the logs. Is there really no other way?/Matt

Hi, Based on my research, "runas" internally uses CreateProcessAsUserW to launch applications and I am afraid that there is no simple way to meet your requirement. Taking advantage of UAC, I think it is not necessary for an administrator to logon the workstation with a standard user account and then run applications with another administrative account. Inside Windows Vista User Account Control http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx Hope the information is helpful for your work. This posting is provided "AS IS" with no warranties, and confers no rights.