I have the similiar situation as Paul's. I need to provide a "RunAs" 
program (with admin's priviledge) to implement an unattended application 
deploymenton on a number of Windows 2000 prof. machines.
Paul, have you got any solution yet? Thanks!

> O.K.  I'm basically supposed to be creating an application similar to
> RunAs.  And, seeing as we have probably the largest userbase in the
> world (we've been told nearly 850,000 workstations, but with 1.9 million
> employees and contractors, I'd imagine it's a little higher), I can't
> just upgrade the clients.  RunAs is not a secure methodology to use.  I
> have to be able to use something that will be able to handle encryption.
> So, I'm basically stuck. Your idea would work if I had the freedom, but
> I've got nearly 3/4 million Win95 boxes to support with this app.  It's
> a little strange to work in such a large environment, but it makes you
> MUCH more careful.  :)  Sometimes I get caught in the trap of thinking
> like I'm working on a user base of 30-50, but then someone comes along
> and reminds me to wake up.
> 
> Paul Rivers
> Contractor
> U.S. Postal Service
> 
> -----Original Message-----
> From: bounce-pro_vb-635906@p... at INTERNET
> Sent: Friday, October 05, 2001 1:45 PM
> To: Rivers, Paul A - Raleigh, NC; pro_vb@p... at INTERNET
> Subject: [pro_vb] RE: O.K. Toughie here. CreateProcessAsUser
> 
> 
> Upgrade the client OS and use Windows 2000 RunAs function:
> The Runas utility is primarily designed to allow administrators to logon
> as
> an ordinary user, but to invoke a secondary logon, without logging off, 
in
> order to run administrative tools with administrator rights and 
permissions.
> Each Administrator can have an ordinary account and an account that is a
> member of an administrators group, or they can all share an
> administrators account.
> 
> In addition to securing your system against an unintended action, 
secondary
> logons prevent a 'Trojan Horse' attack if you were using IE while 
accessing
> a non-trusted site.
> 
> Ordinary users can also use the Runas functionality, to start programs 
under
> different user contexts.
> 
> Examples
> 
> Opening a CMD prompt in the local Administrator context
> 
> Start / Run / Runas /user:<ComputerName>\administrator CMD will open a 
CMD
> Windows titled <ComputerName>\administrator and prompt for the
> Administrator's password. Any command-based programs will run in the
> <ComputerName>\administrator context.
> 
> NOTE: If you run any program that stores files in the per-user folders, 
use
> the /profile switch or they will be stored in the default user profile.
> 
> Running a Control Panel Tool in the local Administrator context.
> 
> Start / Settings / Control Panel and select the tool with a single left
> click. Hold down the SHIFT key and right-click the icon. Press Runas.
> Enter
> the credentials when prompted.
> 
> Starting a shortcut in the local Administrator context.
> 
> Highlight the shortcut, hold down the SHIFT key and right-click the icon.
> Press Runas.
> 
> NOTE: You can use this technique on any registered file type, such as
> running Computer Management with a shortcut to %SystemRootA%\System32
\compmgmt.msc.
> 
> NOTE: You can configure a shortcut to always use a secondary logon by
> opening the Properties page and clicking Run as different user.
> 
> Running the Windows Explorer Shell in local Administrator Context
> 
> Start Task Manager and press the Processes tab. Select Explorer.exe and
> press End Process and YES. Your desktop will disappear. Select the
> Programs
> tab and press New Task. Type:
> 
> Runas /user:<ComputerName>\administrator explorer.exe
> 
> and press OK. Enter the password.
> 
> The desktop will return.
> 
> When you are finished using this context, log off and a new explorer 
shell
> in the original context will start.
> 
> NOTE: The Runas service must be started for Runas to function.
> 
> Dane
> -----Original Message-----
> From: Paul Rivers [mailto:RiversPA@e...]
> Sent: Friday, October 05, 2001 12:14 PM
> To: professional vb
> Subject: [pro_vb] O.K. Toughie here. CreateProcessAsUser
> 
> 
> 
> I'm trying to do a process to allow us to leave JoeUser logged in, and 
have
> an Administrator come to the machine and execute an application. This
> application will require Admin userid and password.  I've been beating
> my
> brains out trying to code it in VC++ (I've got a lot of C++ experience, 
but
> this is WAY beyond me).  So, I decided to look up the API's.  I'm still
> running into a brick wall.  I've found a Microsoft Q article and I'm 
going
> to work on that for a while, but I'm wondering if anyone else would have 
any
> VB sources (Codehound.com is where I found the Q, VBCode doesn't have
> anything on it.) that may have some source code to look at that could
> help
> me go in the right direction?  I know the following facts:
> 
> 1) The user must have SE_TCB_NAME (Act as part of the Operating System)
> rights.
> 2) The user must have a valid token from the Admin user to run the
> CreateProcessAsUser.
> 3) The LogonUser function will give the token from #2, but must meet
> criteria from #1.
> 4) The ImpersonateUser function will allow the token generated from #3
> to be
> used in the CPAU.
> 
> Any more information would be VERY helpful.
> 
> (Eventually, this process will be coded in a manner to allow an
> encrypted
> password on the server to be read in to the file and run the application
> automatically as an administrative user to reduce overhead support
> costs.)
> 
> Thanks in advance.
> Paul
> 
> 
> (P.S.  If you are going to VBITS in Orlando next week (or this week if 
you
> get this message on Monday/Tuesday) send me an e-mail to my private e-
mail
> at spacewarp@y...  I'm going to be there, and would like to meet 
some
> of the folks that are so helpful on this list.)