I'm beta testing my solution right now, and I expect that version 1.0.0.0 is ready for download early in 2016.
|
When it's ready you can pay for a lifetime license. As you can see in my EULA-Copyright.txt located in the C:\ITD\TrywareDk\Setup\Bin folder.
All my PayWare programs is sold with a lifetime license, and all with a 25% discount
Description of the issue being solved by my RunAsDomainAdmin Windows Tool:
#1: End users:
Because of your company's security rules, your end users are forced to logon as not being member of the local administrators
group, and they aren't allowed to right click a file, and UAC elevate it with another logon being local administrator.
So all thirdparty applications is deployed with your Management System, in many cases using the local system account service.
But some thirdparty vendors installations programs, is using the end users userprofile on C:\Users and the HKCU registry hive for
critical parts of their applications, and that's almost impossible to solve easily with a Management Systems. So the only option
with such applications, is to make your end users member of the local administrator group, which isn't allowed in your company :O(
#2: Domain administrators:
You are forced to right click the applications file in Explorer.exe, and select the "Run as a different user" option in the context menu,
and type the wanted administrator user's logonname and password, each and every time you want to run the application.
| SHORT explanation of how my W8-RunAsDomainAdmin Windows Tool solves these 2 issues above:
You can specify a lot of files and/or applications, that your end users can start with a shortcut on their desktop, and it will runas with your domain administrators credentials.
You are free to select a local administrators or your domain administrators password, if you need access to network files. There's no security risk involved using your domain administrators password, except doing it with e.g. editors.
But some applications can't run without being UAC elevated. So depending on the use of the UAC settings on your end users computers, your specified application might be stopped by UAC elevation, even if it's started with your domain administrators credentials. If so, you can't use my W8-RunAsDomainAdmin Windows Tool, but such an UAC issue is solved, if you decides to pay for my W8-RunDisableUAC Windows Tool instead.
SECURITY RISK: If you are using your domain administrators password, please consider not to specify e.g. editor applications or simular, with my W8-RunAsDomainAdmin Windows Tool, because they will also run with your domain administrators credentials, and might give your end users access to important files, that's only meant to be manipulated by domain administrators.
|
LONG technical explanation of how my W8-RunAsDomainAdmin Windows Tool solves these 2 issues above:
As you can see below in my W8-RunAsDomainAdmin.ini settings file, you can specify a lot of options about how your specified file or application will run or be limited, when your end users starts them.
The settings file operates with 2 "simular" file- and foldernames:
| sCompiled(file- and folder):
|
This is your specified file or application, that you want to give your end users an option to run with your local or your domain administrators credentials. If your end users start this file, it runs (as usual) only with the end users credentials.
The settings value of sCompiledFolder is always:
C:\ITD\TrywareDk\W8-RunAsDomainAdmin\SW\Compiled folder
| sRunAs(file- and folder):
|
This is the compiled file you create with my Windows Tool, and that contains your local or domain administrators credentials, and a link to which sCompiled(file- and folder to use. If your end users start this file, it runs sCompiled(file- and folder) with your local or your domain administrators credentials
|
- sRunAsFile can only run if it's located in sRunAsFolder, and if not, it's automatically moved back to sRunAsFolder. sRunAsFile only starts sCompiledFile, if sCompiledFile is located in the same sCompiledFolder on the end users computer, as it was on your domain administrators computer, when you compiled it with my Windows Tool. And sRunAsfile only starts sCompiledFile, if the sCompiledFile has the same MD5 hash value, as the sCompiledFile did on your domain administrators computer.
- You’ll get a new compiled sRunAsFile exe file, with ”RunAsInvoker UAC execution level manifest”, which means, that it runs with the credentials of your end user. My new compiled sRunAsFile exe file contains runas commands about the needed applications exe file, being run with your local or your domain administrators loginname and password. But there’s no security risk in my new compiled exe file, because your password is only part of my new compiled sRunAsFile exe file, and it can only run the specified sCompiledFile applications file, and only if my new compiled sRunAsFile exe file is located in my
- C:\ITD\TrywareDk\W8-RunAsDomainAdmin\SW\Compiled folder.
- Please consider to use a local or domain administrator account that doesn't change the password, because if it is changed, you need to re-compile all your sCompiledFile's, and copy them again to your end users. If so, I've created a logfile in the sCompiledFolder with a complete index with dates of all the accounts you have used when compiling sCompiledFile
- My W8-RunAsDomainAdmin.ini settings file is only located on your own domain administrators computer, where you specify your local or your domain administrators logonname and password, and the password is automatically deleted in the settings file each time after you have compiled the new sRunAsFile exe file, using my W8-Aut2ExeCompile.exe file. So there isn't any security risk about your local or your domain administrators password, because the settings file is only changed, so it might not be part of your recycle.bin, and the clear text of your local or your domain administrators password is only in your own domain administrators computers RAM, while using the W8-Aut2ExeCompile.exe, so there's no "traces" of it on your end users computers, when they use the compiled sRunAsFile exe file.
- So the only security concern, is the pagefile.sys on your own domain administrators computer, that "might contain" some of your computers RAM, but maybe not the your local or your domain administrators password. Your operating system is storing "some of your computers" RAM information in 4 KB chunks in the pagefile.sys file, and thirdparty hex reader software "might be" able to read those chunks and you "might be able" to extract some readable text fragments of these 4 KB chunks, but you can't recover document or application files from pagefile.sys, and I guess, that you are the only one having access to your own domain administrators computer.
- If you ain't satisfied with my security options described above, then just don't type any local or domain administrator password in my W8-RunAsDomainAdmin.ini settings file. But then you are prompted about your local or your domain adminstrators password each and every time you use W8-Aut2ExeCompile.exe to compile a new sRunAsFile. If so, your local or your domain administrators password is only in your domain adminstrators computers RAM the 10-20 seconds it takes to compile new sRunAsFile exe file, so it's 100% secure
When my Windows Tool runs, it will create logfiles in the C:\ITD\TrywareDk\W8-RunAsDomainAdmin\SW\Log folder. These logfiles will be deleted/appended/created each time you use my W8-Aut2ExeCompile.exe file:
W8-Aut2ExeCompilelog
| Appended to W8-Aut2ExeCompile.bak, and deleted before execution.
|
W8-Aut2ExeCompile.bak
| Valid switches is appended. File is truncated to max. 100 KB.
|
Error-W8-Aut2ExeCompile.log
| Appended to Error-W8-Aut2ExeCompile.bak, and deleted before execution
|
Error-W8-Aut2ExeCompile.bak
| Error switches is appended. File is truncated to max. 100 KB.
|
So if you are using a Management System, you are able to track success or errors if the W8-RunDisableUAC.log file or in the Error-W8-RunDisableUAC.log that is created according to the INFO #nnn: or ERROR #nnn: numbers (all nnn numbers in 3 digits) described in W8-Setup-LogNumbers.txt located in the
C:\ITD\TrywareDk\W8-Setup\Bin folder.
It contains all lognumbers for all my FreeWare/ShareWare Windows Tools. It's currently about a couple of hundreds error and info codes, like example:
ERROR #0027: License isn't validated with correct accountname and password
INFO #0047: Please read my SYNTAX descriptions file before using my Windows Tool
As you can see in my W7-EULA-Copyright.txt located in the C:\ITD\TrywareDk\W7-Setup\Bin folder, I give you a lifetime license
But you don't have license to distribute my W8-RunAsDomainAdmin Windows Tool to anybody else.
Because of e.g. the UAC issue, my W8-RunAsDomainAdmin Windows Tool might not work with the specified files you want to use it with. So it’s up to you to do a valid test, before you decides to pay me for more than 1 computer. So it’s your own risc to get more licenses, because you can’t get your money back. The reason is, that it's the vendor of the application that decides, if their installation program is compiled with a ”UAC execution level manifest”, so it’s forced to be elevated with UAC credentials. And I can't predict that on all the computers around the world.
Some of my Windows Tool files needs some switches in order to work. If you start it with the -?, -help, /? or /help switch, I will open a notepad file, and show you my syntax descriptions for the needed switches.
W8-RunAsDomainAdmin doesn't have this -help feature, because everything is handled using this settings file:
|
|
