Subscribe to Windows IT Pro
January 01, 1998 12:00 AM

SU

Mark Minasi
Windows IT Pro
InstantDoc ID #3460
Rating: (0)
A utility for dual-personality users

If you have the Microsoft Windows NT Server Resource Kit or the Microsoft Windows NT Workstation Resource Kit, you know that it's full of great-sounding utilities. But figuring out some of those utilities can be a problem. This new column will explain what you can do with resource kit utilities. Every month, I'll highlight a utility, tell you what it does, and show you how to use it.

One utility worth figuring out is su.exe. It lets you start up a program under the guise of a different user.

When this Utility Is Useful
Suppose you're a network administrator in domain EARTH. You have two accounts on your network: CKENT and KALEL. One afternoon, you're logged on to your CKENT account, your ordinary user account, working on a monthly report in Word. A user calls and says he's forgotten his password and asks you to reset it for him. No problem. You start up the User Manager for Domains. You find his account and double-click on it, only to be told "Access Denied: the user properties cannot be edited or viewed at this time."

Then you remember you're logged on to your user account. So you'll have to shut down Word, log off CKENT, and log back on as KALEL, an account with administrative powers. But, you have a better idea: su.exe.

SU lets you start up the User Manager for Domains (or any other application) under the KALEL account, even if you're not currently logged on as KALEL. You can then change the user's password, exit the User Manager, and return to your Word document.

Step by Step
In its simplest form, an SU invocation looks like 

su <name of account you want to use> <name of program>
   <domain of account>

In our example, all you have to do is open up a command line and type 

su kalel usrmgr earth

SU will prompt you for the password for the KALEL account. Once you've entered the password, User Manager for Domains starts.

Suppose I have two user accounts, Mark (ordinary user account) and MarkA (administrative account), in domain ANDROMEDA. I'm logged on to my NT workstation as Mark and want to change my system's time. But, ordinary users can't change system times. To use the TIME command, I need a command line. So, I type 

su MarkA cmd andromeda

I'm prompted for MarkA's password, I supply it, and I get a command prompt window. Then I can use the TIME command to change the computer's time.

What Can Go Wrong
SU is a neat utility, but you have to modify a user's rights before SU will work. If you just fire up a command line on a system that's installed with all default rights, the previous examples won't work. The CKENT account (the account running SU) must have two advanced user rights that NT users of all stripes don't have by default: Act as part of the operating system and Replace a process level token.

An administrator can easily give those rights to CKENT. So, before you try SU the first time, log on to your Windows NT machine with the administrative account—KALEL in this example—and open up the User Manager for Domains.

If you're running User Manager for Domains, you'll need to direct the User Manager to modify the rights granted on the machine you're working at. By default, the User Manager for Domains modifies the rights that domain controllers, not machines in general, grant. For example, suppose you have two domain controllers, D1 and D2, and three member servers, S1, S2, and S3, and you're at a workstation named W1. All are NT machines that are members of a domain. If you're sitting at W1 logged on as CKENT and want to run SU, then CKENT must have the Act as part of the operating system and Replace a process level token rights on W1. So, again, before CKENT can run SU, you'll have to log on to W1 with an administrative account to grant CKENT those rights.

If you're using User Manager for Domains, you click User/Select Domain and type in W1. (Yes, W1 is a machine, not a domain, but that's how you control W1's rights.) Now click OK. But if you're just sitting at W1 and running the simple User Manager, you don't have to click User/Select Domain. Then click Policies/User Rights, and check the box labeled Show advanced user rights. Select Act as a part of the operating system and add CKENT's name. Do the same for Replace a process level token. CKENT can now run SU. Happy NT schizophrenia!

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Andy Lewisa
    13 years ago
    Oct 06, 1999

    Phenomenal introductory article. Discovered that ie3+ automatically forwards account credentials; didn't want to keep logging out/logging in to be able to use the web "securely." SU is a good tool; has been updated in the latest ResKit update. Would like to see a followon article that explains the "desktops" concept for SU. Ideally I'd like to toggle between an admin session and a generic user session, but for the time being I'm using SU to intitiate an admin session of progman and built a program group with shortcuts to all the admin tools I need. Would prefer to open a second desktop entirely...

  • Bruno Kneubuehler
    13 years ago
    Aug 10, 1999

    I just read Mark Minasi’s January This Old Resource Kit column, “SU,” and want to thank him for this helpful description of su.exe. This utility saves me a lot of time running across the building to do administrative work. Also I can finally start two Exchange Administrators in two sites when I’m logged on to my workstation. Greetings from Switzerland.

    --Bruno Kneubuehler

  • Ken Root
    13 years ago
    Aug 10, 1999

    I like the addition of Mark Minasi’s This Old Resource Kit column. It really helped me out. But I found one problem in the January installment, “SU.” If you are trying to access a workstation in User Manager for Domains and you select File Select Domain, you can’t simply type the name of the workstation as Mark Minasi said. You have to put the \\\\ in front of the computer name.

    --Ken Root



    That’s odd; my experience is different. I’ve used the \\\\ in the past but found that, counter to my intuition, the name without the slashes worked. I don’t know how your network is different from mine (different service packs, perhaps?), but thanks for the reminder. Always add the \\\\.

    --Mark Minasi

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.