Credentials are in memory while the app running as admin is in memory - and in some cases (such as X-ing out of an RDP session) are left in memory after the app is closed.
Oh, wait - I got it backward. You want an admin to run something as a standard user. That makes more sense. Never mind. Kurt On Mon, Nov 21, 2016 at 5:49 AM, Micheal Espinola Jr <[email protected]> wrote: > Whats the danger in running something from an admin context in a user > context? > > On Sun, Nov 20, 2016 at 9:28 PM Kurt Buff <[email protected]> wrote: >> >> Down that path lies great danger... >> >> On Sun, Nov 20, 2016 at 11:44 AM, Micheal Espinola Jr >> <[email protected]> wrote: >> > This has always annoyed me. I really wish the runas /trustlevel switch >> > could be used to overcome this feature. >> > >> > -- >> > Espi >> > >> > >> > On Sun, Nov 20, 2016 at 10:29 AM, Webster <[email protected]> >> > wrote: >> >> >> >> >> >> >> >> https://blogs.technet.microsoft.com/askds/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership/ >> >> >> >> >> >> >> >> "I can only get this to work if I disable UAC on the Windows 7 client. >> >> Is >> >> this expected?" >> >> >> >> >> >> >> >> "This should only happen with administrative user accounts. The drive >> >> mapping occurs in an elevated user process. The Windows Explorer >> >> process is >> >> a non-elevated process. Mapped drives, regardless of how they are >> >> mapped, >> >> by default do not span across processes of different elevation. Normal >> >> User >> >> accounts should not have this problem. You can bypass the problem by >> >> mapping >> >> the drive as a scheduled task, which would occur under the non-elevated >> >> process. Or, you can enable the registry setting in MSKB Article ID: >> >> 937624." >> >> >> >> >> >> >> >> Thanks >> >> >> >> >> >> >> >> >> >> >> >> Webster >> >> >> >> >> >> >> >> From: [email protected] >> >> [mailto:[email protected]] On Behalf Of Mike Kanfer >> >> Sent: Sunday, November 20, 2016 9:42 AM >> >> To: [email protected] >> >> Subject: Re: [NTSysADM] Windows 2012 R2 GPO Mapping Issue >> >> >> >> >> >> >> >> Bingo! That's was it. Thank you!! >> >> >> >> >> >> >> >> On Sun, Nov 20, 2016 at 9:11 AM, Eric Wittersheim >> >> <[email protected]> wrote: >> >> >> >> Are the users local admins? UAC can block mapped drives when the users >> >> are >> >> administrators. You can check this by opening up a cmd prompt and >> >> switch to >> >> the mapped drive letter. This shows the gpo is working but it's mapping >> >> the >> >> drive for Administrator instead of the intended user. >> >> >> >> Eric >> >> >> >> >> >> >> >> On Sat, Nov 19, 2016 at 9:00 PM Mike Kanfer <[email protected]> wrote: >> >> >> >> We have a GPO that is applied to Authenticated Users and linked to our >> >> domain. In it, we have a mapped drive which isn't work. Looking at >> >> GPResult shows the policy being applied. Using NET USE, we can map the >> >> drive with a user logged in. We have unchecked, reconnect at logon and >> >> it >> >> still doesn't work. The drive map action is Create. We also tried >> >> Update. >> >> The GPO does work because other elements- a message on the logon screen >> >> is >> >> displayed. The DC is a Windows 2012 R2 server and the workstation is a >> >> Windows 10 Pro version. It also is not working on a Windows 2012 R2 >> >> terminal server. >> >> >> >> >> >> >> >> Any help would be appreciated. >> >> >> >> >> > >> > >> >> > -- > -- Espi (via mobile)
