Using runas utility to grant full read/write to backend feasible?

[Banana]

After loving sudo utility on my Mac, I've discovered that Windows supports Runas, which is same thing as sudo - For those not familiar with UNIX, when you need to do something that you do not have the privilege, you can authenticate as an administrator for a brief period necessary to complete the task.

Anyway, the theory is that one could store backend in a folder and set Windows permission to deny everyone out, while granting full permission to a dummy account; let's call it "Access" (how apropos ). Once distributed, users need to click on a shortcut to a front-end which would then execute a shell command to runas "Access" and link the tables to the backend. The process would be transparent to the user yet if they tried to browse to the backend, they would be denied the access because the privilege is granted only to the specific instance of Access (provided that my understanding of the documentation is correct).

I wanted to test the theory, however, I'm afraid I'm a total rook when it comes to Windows security. My attempts to execute a runas command to open a command shell in another user account was foiled by curious error saying "Unable to acquire user's password" (though I have the password correct).

Maybe someone can help me out and test the theory and see if it would work out?

 

[Banana]

Okay, I've figured out the RunAs utility- apparently it didn't like username@domainname format, preferring domainname/username (why must Microsoft instead doing it their way instead of everyone's way.... but I digress)

Making a quick database with a linked table residing in a restricted folder, it is possible to use runas to open Access as the user that has the privileges, and I've confirmed that I'm still unable to browse to the folder via explorer even though the Access is open. Very cool.

For those wishing to test, here's the simplest set-up without having to mucking with permissions and whatnots. If you have a nonadmin account and admin account, you just need to switch to admin account, make a new database with a table. Save it in admin's "My Documents". Then make another database that links to the table you just saved in the My Documents. Put that database in a shared location. Switch to the nonadmin account and try to open the database's linked table and you will get an error. Close the instance, then issue the command in the Run... below:

runas /user:domainname\username msaccess

This will open an instance of Access as the admin and you now have full access to the table, even though you still can't browse to the folder itself.

Since it's a good practice to use a shortcut to open msaccess using a workgroup and a user account, it should be easy enough to add runas with the same parameters. However, the problem is that a password for the dummy account is required. This necessitates something akin to batch file or something but that means the password would be in clear as one only needs to open the file to see the password for the dummy account, which they shouldn't.

One idea was to have a small "start-up" database where users can use a shortcut to join a workgroup, authenticate the Access user and password, and if authenticated, VBA issues command to run shell commands using the runas with the workgroup and all information, closing the start-up and closing the real front-end as the dummy account and logged in as same Access user. I assume that if start-up database is compiled as MDE, it would effectively hide the password to all but those who know how to use a hex editor.

Or maybe there's an easier way to do this?