Using the runasrole command line

As an alternative to selecting Run with Privilege from the right-click menu for an application, you can use the runasrole command-line program. The RunAsRole program enables you to run a specified Windows application in a Command Prompt windows using a specified Centrify access role. You can use command line options to control whether the role is used as a local role, a network role, or both, and whether to use the current environment or the environment variables associated with the “Run As” user account. The runasrole command line program is equivalent to selecting the Run with Privilege menu option when right-clicking an application shortcut or executable.

The syntax for the runasrole command is:

runasrole /role:role[/zone] [options] application [argument]

runasrole /localrole:role[/zone] [options] application [argument]

runasrole /networkrole:role[/zone] [options] application [argument]

You must specify the role to use in the rolename/zonename format. You must also specify an appropriate path to the application you want to access, including any required or optional arguments.

You can use the following command line arguments with the runasrole command:

Use this option To do this

/role

Use the role name you specify as both a local role and a network role. You can specify this option to run an application locally and access a remote server using the same role, if applicable.

You should only use this option if the role you are assigned and want to use has both local and network access rights defined.

/localrole

Use the role name you specify as a local role.

/networkrole

Use the role name you specify as a network role.

/env

Use the current environment variables instead of the environment variables associated with the "Run As" user account.

/netdrives

Use mapped network drives when running an application with the selected role.

By default, you cannot use mapped network drives that are associated with you logged-on user account when running applications using a role with elevated privileges. If you want to use a mapped network drive when accessing an application using a selected role, include the /netdrives option in the command line.

/removetimestamp

Remove the grace period on Windows authentication and MFA for the current user session.

/wait

Prevents the runasrole program from exiting immediately after opening the specified application.

If you specify this option, the runasrole program starts the specified application and waits until the application session ends before exiting. When the application session ends, the runasrole program exits and returns the same result code as the application.

If you specify this option and the application is a command line utility, the runasrole program redirects the application's input and output to the command line console.

You should note that some applications use a Microsoft API that does not support redirection of standard input and output. For applications that don’t support redirection, the /wait option has no effect and is ignored.

/h

Displays the command help.

Note:   If your administrator has enabled privilege elevation justification, a dialog box appears. Enter the following information to justify why you need to run the application with privilege:

  • Ticket number: If your administrator has instructed you to enter a ticket number, do so here. (This field can be used with ticketing systems such as ServiceNow and so forth.)
  • Reason: Select the reason category that best fits your situation. Your choices are:
    • Software Installation
    • Remote System Administration
    • Local System Administration
    • Windows Feature Management
    • System Networking Change
    • Maintenance (Shutdown, Reboot, Power Off)
    • PowerShell or Other CLI
    • Centrify Operation (Services, Zone Operations, etc.)
    • Other
  • Comment: Enter any comments about your need to run as role.

Examples of using runasrole

To use the same role to open the Computer Management application locally and access a remote server in zone1, you might run a command similar to the following:

runasrole /role:role1/zone1 mmc.exe c:\windows\system32\compmgmt.msc

To use the role named SQLdba from the finance zone as a local role to open the Services application, you might run a command similar to the following:

runasrole /localrole:SQLdba/finance mmc.exe c:\windows\system32\services.msc

To use role1 from zone1 as a local role to open the Computer Management application and use network access rights from role2 in zone2, you might run a command similar to the following:

runasrole /localrole:role1/zone1 /networkrole:role2/zone2 mmc.exe compmgmt.msc

To open the Services application using the role named SQLdba from the finance zone and have the runasrole program remain open until you close the Services application, you might run a command similar to the following:

runasrole /wait /role:SQLdba/finance mmc.exe c:\windows\system32\services.msc

Running an application from a shortcut

In most cases, you can use the runasrole program to run specified Windows applications using the application shortcut. However, there are many different types of application shortcuts and the RunAsRole program does not support all of them. You can use the RunAsRole program to execute applications with the following recognized shortcut target extensions:

.bat

.cmd

.cpl

.exe

.msc

.msi

.msp

.ps1

.vbs

.wsf

How to determine whether RunAsRole supports an application shortcut

You can determine whether you can use the RunAsRole program to execute an application from the application shortcut by checking the file extension for the target application in the application’s shortcut properties dialog box.

To check the file extension for a target application shortcut

  1. Select an application shortcut.
  2. Right-click the shortcut, then click Properties to display the file properties.
  3. Click the Shortcut tab and check the target field.

    If the target file extension displayed is a supported file extension, you can use RunAsRole to execute the application from the application shortcut. You should note that a shortcut target field might include both the file name for the application executable and one or more arguments. As long as the application executable has a supported file extension, you can use RunAsRole to execute the application with the specified arguments from the shortcut. For example, if the shortcut target is C:\Windows\System32\control.exe printers, the application executable C:\Windows\System32\control.exe is a supported file extension with printers supplied as an argument. Therefore, you would be able use RunAsRole to run the application from its shortcut.