Runas Batch File To Launch MMC as Domain Admin

So, I recently started with a new company that wisely implements User Account Control on the desktops, and follows the best practice of having one administration account for Domain Admins and a separate account for everyday use. I came from an environment where I was supporting several different domains so to build an MMC for my clients didn’t make much sense. Had I written this little batch file before, it would have made my onsite visits much easier. I am running this on Windows 7 SP1 x64. The batch file is quite simple, but I didn’t find anything with instructions on how to ‘make it all work’ so I thought I’d throw this blog out there.

Step 1: Check your services, and make sure the “Secondary Login” service is running and set to Automatic. If this service isn’t running, you can’t log in using runas.

Step 2: Create a folder on the C drive and name it MMC. If you are going to be visiting multiple clients, or if you are going to be administering multiple disjointed domains, add the “Everyone Full Control” permission to this folder. I’m not 100% sure if is important (and I honestly didn’t test it), but I would believe it would simplify things so that the batch file doesn’t have to get past the local permissions of your PC to also run on the domain your PC is a guest on. If you are running this on your own domain, or a domain your PC is a member of, then this isn’t as important.

Step 3: Create a new MMC with all of the Snap-Ins you like to use regularly and save it to the C:\ MMC folder. I added ADUAC, DNS, DHCP, ADS&S, RDC, Event Viewer, Services, and Computer Management. I’m sure I’ll add more later but those are the basics that I started with.

Step 4: Create a batch file in that folder with the following text where:

  • %domain% is the domain you’re logging in to.
  • %username% is the user name you’re logging in with.
  • %filename% is the name of the MMC file you created and saved in Step 3.

runas /user:%domain%\%username% “mmc C:\MMC\%filename%.msc”

For Example, if I were logging into with the user ID Matt and the MMC file I created was named Console, then the script would look like this:

 runas /user:company\Matt “mmc C:\MMC\console.msc”

I initially had problems with Windows 7 and received the error: 193: console.msc is not a valid win32 application, which is why I added the “mmc ” into the script. Not sure why Windows 7 had a problem associating MMC with msc in the batch file, but specifying mmc did the trick. I read that tip here.

Step 5: Save and close your batch file naming it something that makes sense to you.

Step 6: Copy a shortcut to your desktop (or other convenient location) and change the Icon if desired.

Step 7: Launch your batch file. Be sure to Right Click and select “Run As Administrator” if your PC has UAC turned on.

Step 8: After you launch the batch file, a cmd window will pop up and you will be prompted for a password. Enter the password for the user you defined in the batch file and you’re all set.

So, you can see the different applications of this batch file. If you’re a roaming admin, you can create a separate file for each client. In my case, we acquired a company not too long ago, so I will have one batch file (and likely a different msc defaulting to certain servers) for each of the domains for ease of administration.

Still working on the Exchange Management console.  The same script throws the same ‘invalid Win32 Application’ with our without the preceeding MMC part of the script.  I can Shift-Right Click, and ‘Run as different user’, but I’d rather not…..

Good luck, and happy administration!