RunAs Standard User with Admin Token

[SleepingRobot]

So I'm a little embarrassed that the problem that's pulled me out of long-time lurking and into making my first post here is on a subject with so much existing discussion. None of the posts I've found so far seem relevant to my specific problem however, so hopefully someone on this wonderful forum will be able to help me out!

Essentially, I'm trying to write a tiny AutoIt executable that a standard user on Windows 7 can run that will kick off both a "gpupdate /force" and a "gpresult /H c:\temp\gpresult.html". The catch seems to be that (due to UAC?), the gpresult /H command must be ran with elevated rights (a.k.a. be passed the admin token) to generate the COMPUTER RSoP information. I found this awesome post by AdamUL that describes how you can recursively relaunch your AutoIt script to get it both running as the desired admin ID (RunAs function) as well as passing the admin token to elevate the session (ShellExecute function with "runas" verb) , but unfortunately I do not think this will work in my case without some modification as the gpupdate / gpresult commands need to still be running as the user's session and not my admin's.

So, to my question -- Is it possible to run a command as a standard user ID while using a domain admin ID to pass it the elevated admin token? The thought crossed my mind of temporarily adding the user as a local admin, running the commands in a new cmd instance, and then removing the user again, but this seems a little questionable security-wise, so I'd prefer to avoid this approach if possible. If any better methods exist out there to accomplish what I'm after, I would be happy to hear them!

 

[alien4u]

What about gpresult /H report.html /USER domain\username.

So you could run this using RunAs as you already said and specifying which user to generate report from.

Regards
Alien.

[SleepingRobot]

On ‎4‎/‎13‎/‎2016 at 6:46 PM, alien4u said:

What about gpresult /H report.html /USER domain\username.

So you could run this using RunAs as you already said and specifying which user to generate report from.

Regards
Alien.

Wow, I actually had no idea there was a /USER switch for gpresult. I just tested this and it works flawlessly! You rock, thanks.
It is slightly disappointing that running with /USER doesn't seem to be supported with /H, but I think this is still good enough for what I need. Thanks again!

[alien4u]

1 hour ago, SleepingRobot said:

Wow, I actually had no idea there was a /USER switch for gpresult. I just tested this and it works flawlessly! You rock, thanks.
It is slightly disappointing that running with /USER doesn't seem to be supported with /H, but I think this is still good enough for what I need. Thanks again!

Glad to help.

Running /H /USER is supported try it I already try it before I post the solution.

Happy Coding.
Regards
Alien.

[SleepingRobot]

Wow, even better. When I looked at the gpresult /? output I must have mixed up /U and /USER (/U is what doesn't work with /H). Working exactly how I wanted. You're a stud, dude!

[alien4u]

Your welcome, glad to help.
The same happened to me when I read the gpresult help is kind of confusing /U and /USER.

Regards
Alien.