Can I start a program from command line for another logged in user?

windows-server-2008 command-line-interface windows-terminal-services

No. Windows does not offer the type of user impersonation capability you're asking about here. There's no sudo equivalent, or even approximation in Windows.

I can't find the document or article at the moment, but not allowing sudo-style user impersonation functionality in Windows was a deliberate design decision way back in the earliest days of the NT kernel, and as a result, we're very much stick with it. (There aren't even any clever workarounds or hacks to circumvent it as there usually are - this one's just far too deeply rooted to get around.)

In the Windows world, in order to perform [practically] any action as a user (whether it's running a program, authenticating against AD or anything else), you require an access token, which is used to identify and authenticate the user's access/privileges. This access token is only created when the user's account name and password are supplied (at login, for RunAs, and so on).

The potentially important caveat (for your purposes) is that an existing access token can be duplicated into an impersonation token, which can be passed on to the ImpersonateLoggedOnUser function, which can be used to impersonate the security context of a logged-on user.

Seeing as how you're one of those developer/programmers who might know how to work with the arcane magiks of .NET, this may be useful to you in writing a small application to achieve what you want to do.

However, to be precisely clear, there is no command you can run or process to follow to impersonate a Windows user, short of coding one up (or finding one someone else coded up), and even then, it's limited to users whose access tokens are available (logged on users).


If the users are logged on, you can use something like owexec to launch processes as them. It doesn't require their password. We use it for something very similar to what you describe, except for the Terminal Services part.

You may need to add some scripting to gather all active sessions, then target them each, individually, with the -u option.

Related

Windows remote access server (PPTP) advertised routes
Rotating outgoing IPs using iptables
Can firewall block packets visible in Wireshark?
Run postfix pipe command under a different user than nobody
IIS 7 Reverse Proxy based on domain name host?
Does Active Directory on Server 2003 R2 support IPv6 subnets in Sites and Services?
Recommendations for handling Directory Harvesting spam on Exchange 2003
ErrorDocument when using Apache as reverse-proxy
Should SPF records provided by ISPs contain "all" at the end?
How do I monitor redundant power supplies on a Dell server?
Image fingerprint to compare similarity of many images
With a 500GB SSD and a 250GB SSD is it possible to mirror a 250GB partition on the 500GB with the 250GB SSD using ZFS?