In our environment (2008R2/2012 AD Domain, w/ Win7/8 Enterprise), we logon to our systems with unprivileged accounts. We avoid using domain admin credentials entirely, instead relying on different privileged accounts for various categories of workstations and servers (they are basically compartmentalized by function and risk). System admins then run needed tools elevated to whichever account is needed for the target system. The accounts that have admin privs on the target system are not privileged on the desktop on which the tool is run. Prior to Windows 8, this has worked without any problems, though in some cases, steps were required to make the "Run as a different user" option available in the right-click menus used to launch the tools.

However, on Windows 8.1, attempts to work in this way fail. Ultimately, we are unable to run the various RSAT tools without providing an account that has admin privileges on the local desktop to run the MMC. I've done a good bit of googling (er.. binging) and have been unable to find any explanation or guidance on how to get this to work.

I can probably add all the server admin accounts to the local Administrators groups on the admin workstations and/or terminal servers and get this to work, but that's undesirable from a security perspective. We developed this scheme to segment our privileged credentials to improve domain security by thwarting an attackers ability to move laterally through the domain in the event a system is compromised. e.g. if a user workstation or laptop is compromised, privileged credentials that might be present on that system would not allow privileged access to any system in a different risk category ("compartment" in our vernacular).

Does anyone have any idea what I'm missing? This is issue is currently holding up broader adoption of Windows 8.1+ and I really need to get this working.

Thanks for any insight.

Hi,

If you were prompted as no enough privileges, you need to grant privileges to current users to run these programs. I am supposing you mean server operator account in your thread. To confirm that if server operator has privileges to rum RSAT on Windows 8.1, I need time to reproduce a domain environment with Windows 8 and 8.1 and perform a test. If I found something changed between Windows 8 and 8.1. I might inform you that in this thread.

Minimize user permissions is always important for security consideration, if your environment doesnt allow system operator/admin has full local administrator privileges, we need to compare both account and fractionize the privileges by using accesschk and NT Rights Privileges.

https://technet.microsoft.com/en-us/sysinternals/bb664922.aspx

https://gallery.technet.microsoft.com/Get-Set-Remove-NT-Rights-0a8a36db

Here is a sample of server operator account

Personally, I prefer adding server admin to local administrator group (for certain computers maybe) since this option might mess your whole Privilege system and it will be disastrous.

Regards,

D. Wu

> If you were prompted as no enough privileges, you need to grant privileges to current users to
> run these programs. I am supposing you mean server operator account in your thread.

No, we do not use the Server Operator group. Instead, we create our own Global Group in active directory to be used for each type of server. For example, there is a Print-ServerAdmins group that is added via group policy to the Administrators group on our print server systems. To this group, we add the smart card credentials for administrators who manage print servers. There is a similar, but separate group for PKI-ServerAdmins, etc. In this way, only admins who need access to various services actually have it.

> https://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
> https://gallery.technet.microsoft.com/Get-Set-Remove-NT-Rights-0a8a36db

I have not yet had a chance to check these in detail (busy with 2003 EOL, Win10RTM, big patch Tuesday -- you know, typical Windows Admin stuff lol. But I am eager to do so. I am vaguely aware of these tools, but I think this actually will show me the relevant details to track this down. I will update as soon as I go through the results. Thanks.

> Personally, I prefer adding server admin to local administrator group (for certain computers
> maybe) since this option might mess your whole Privilege system and it will be disastrous.

I think we are in agreement here. This is pretty much what we do, though we have a set of groups to provide some indirection to make it easier to manage as admins change roles, come and go, etc.

Thanks very much for your response.