I am having trouble understanding what is going on with "runas".
Situation:
- CLIENT is W10 Pro joined & logged in to Active Directory Domain FOODOM.
- USER is member of FOODOM and default Domain-User, nothing elevated.
- MYADMIN is member of FOODOM and member of Organization-Admin, Domain-Admin, etc. A typical Domain-Admin User.
- UAC is enabled.
- FOODOM\USER is logged in on CLIENT.
Problem:
FOODOM\MYADMIN is not allowed to runas with admin rights: from inside FOODOM\USER's session:
runas /user:FOODOM\MYADMIN cmd fails with "The requested operation requires elevation"
Hoewever, the built in administrator account works:
runas /user:FOODOM\Administrator cmd -> ok
FOODOM\MYADMIN can successfully login on CLIENT. When logged in, MYADMIN can run things with Domain Admin priveledges local and remote.
Thoughts: Am I missing some flag? None of the adminiatrive users we usually use can successfully invoke runas except built in administrator...? I suspect it only works because the local workstation is mixing up FOODOM\Administrator with .\Administrator?
Edit:
As the comments seem to ignore the real question, here as clarification: I am aware of elevation issues with UAC and are refering to DOMAIN Administrator, not the local one. What is the reason domain\Administrator actually CAN circumvent runas elevation while domain\someAdmin can NOT? LDAP Flag? Delegation? if(username==*\administrator) { do.secretElevationHack(); } ?
