RSAT, Vista and ShellRunas

On March 25, 2008, in Security, by

Microsoft Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2008 from a computer running Windows Vista SP1

When you install Vista sp1 it removed the GPMC from the workstation that you need to admin group policies on the server that impact Vista workstations.

To install the Administration Tools pack

  1. Download the Administration Tools package from the Microsoft Web site (

  2. Open the folder into which the package downloaded, and double-click the package to unpack it and start the Microsoft Remote Server Administration Tools Setup Wizard.


    You must accept the License Terms and Limited Warranty to begin installing Administration Tools.

  3. Complete all the steps required by the wizard, and click Finish to exit the wizard when installation is complete.

  4. Click Start, click Control Panel, and then click Programs.

  5. In the Programs and Features area, click Turn Windows features on or off.

  6. If you are prompted by User Account Control to allow the Windows Features dialog box to open, click Continue.

  7. In the Windows Features dialog box, expand Remote Server Administration Tools.

  8. Select the remote management tools that you want to install.


  1. Click OK.


And there ya go….

Just remember if you log in as “you” and not as a domain admin you’ll see inaccessible on some of the domain policies.

I think you’ll want to add this as your tool bag as well… in fact it’s a MUST have if you are a lazy bone like me and don’t want to relog into the domain. 


Go to the command line.. do ShellRunas /reg to make it register into the tool bar

And then you get this:

Which allows you to enter domain credentials

Please read Dr. J’s Security Resource Kit for the fact that I have now “But suppose the user logging on to the workstation is a member of the local administrators group on the server. And say the domain administrator frequently logs on to the server. …..However, in this case, a user who logs on to the workstation is a member of the Administrators group on the server. Thus, the security of the server is dependent on the security of the workstation. That means the security of the entire domain is dependent on the security of the workstation. And, guess what: the user on that workstation just unwittingly ran the attacker’s tool.”

In this case I have no choice.  I must use a workstation to admin the Vista group policies as I cannot at the server. I know I’m adding a bit of risk logging in as the domain admin on a workstation, but it’s an acceptable risk I take.


3 Responses to RSAT, Vista and ShellRunas

  1. John says:

    How’d you get so smart? I downloaded and installed the RSAT update but I missed the blurb on the download page about going to add/remove components to finish the installation. There I am, trying to figure out where my shortcuts are. Duh!

    Thank you very much for your willingness to RTFM and share the knowledge.

  2. Chris Knight says:

    The comment Jesper makes about a compromised workstation is probably the best reason why the Vista/Win2008 GPMC should have been backported to Win2003.
    Difficult yes, impossible no.

    The alternative is to have a Vista Business VM installed on a/the server locked down such that it can only be used for Vista/Win2008 Group Policy management.

    The VM is probably the most effective solution for shops needing to perform remote maintenance/management of Group Policy without needing to remote a local Vista machine.

  3. Chris Knight says:

    If you’re using ShellRunAs, then you can run ‘shellrunas.exe /regnetonly’ as well, then running the RSAT components using ‘Run as different user (netonly)…’.

    This means that the component runs locally with normal privileges and the RPC calls made by the component then run with elevated privileges.