15

Let's say I'm an administrator on a Windows7 box. I'd like to be able to run commands as other users without knowing their passwords. This is what happens on linux. If I'm root, I can 'su' to other accounts without providing any password and run commands in their own name.

Arnaud
  • 621
  • 2
  • 5
  • 12
  • 4
    -is not possible. In Windows system is always needed a credential set: username and password – CB. Oct 04 '11 at 19:22
  • 3
    Related: http://serverfault.com/questions/16886/is-there-an-equivalent-of-su-for-windows – manojlds Oct 04 '11 at 19:42
  • Also related: http://stackoverflow.com/questions/8304398/is-it-possible-for-a-windows-service-impersonate-a-user-without-a-password So apparently it could be technically possible to impersonate another account, but it's really not remotely feasible in a system administration sense. You have to spawn a process from an existing process where the target user is already authenticated. – Bacon Bits May 14 '15 at 20:44

1 Answers1

14

su (substitute user or switch user) allows changing the account associated with the current terminal. Where Normal user have to give password of the account he wants to change to, super user (root) can change to any ID he wants without giving password.

sudo executes a command as another user but observes a set of constraints about which users can execute which commands as which other users (generally in a configuration file named /etc/sudoers, best editable by the command visudo). Unlike su, sudo authenticates users against their own password rather than that of the target user (to allow the delegation of specific commands to specific users on specific hosts without sharing passwords among them and while mitigating the risk of any unattended terminals).

On windows runas.exe allows a user to run a programs with different permissions than the user's current logon provides. But for this you have to provide credentials. Windows security does not allow an administrator to execute as another user without his credentials. Administrators can do what they want but not under certains limits without control(discretionary power)

Now once it's said, on Windows an administrator can take and give ownership of ressources and then do what he wants, but it's logged.

JPBlanc
  • 70,406
  • 17
  • 130
  • 175