Terminal (UWP apps in general) in Enterprise environments. Need Run-As different user.

[mcdonamw]

So I like the idea of Terminal, as I want my command prompt and powershell in a single window, however I find it's not usable in my work environment.

I have two accounts, my normal one for my interactive login and local administrative needs and a separate account for remote administrative work that happens to be a server/domain admin account that I use via the "run-as different user" option on my win32 apps.

UWP apps seem to be limited in that you cannot run them as "different" users. As such I can NOT use Terminal in my work environment. This is very unfortunate. Are there any plans to address this?

Security is paramount these days and many organizations require users to utilize separate administrative accounts and often logging in with those accounts interactively on a system is against security best practice. As such it's paramount for apps to support the ability to run as different users.

[jborean93]

You technically can use WT as another user but the application needs to be installed as that user, instead of just your current one your current one, for it to work.

In this case I've installed the windows terminal app on both vagrant-domain (my current user - current process - top) and vagrant (test local account - newly spawned process - bottom). You can even use runas.exe /netonly /noprofile /user:DOMAIN\other wt.exe to run WT locally as your current user but any outbound credentials will be with the credentials you've specified. Because it runs locally as the current user this doesn't need that extra installation.

In reality you shouldn't be running as a privileged account, domain admin, on your main workstation. This should be done on some separate host that is disconnected from the internet and designed solely for this purpose. This is done to avoid a potentially compromised workstation from seeing those credentials. It is far more likely that a host that has access to the internet or is used for other purposes to be compromised in some way compared to a "privileged" host designed just for that purpose.

[mcdonamw]

That's good to know. I don't think I attempted to do this via command line. But using command-line to issue run-as commands is great, but MS has put a lot of work in adding run-as administrator/run-as different user into the right click context menu. They just seem to have dropped the ball for UWP based apps, so the primary argument remains. Hell I believe this is still an issue even for MSI installer based shortcuts as well.

With that said, the comment about using my elevated account on my workstation I agree it is less secure than a dedicated box, however even when using a dedicated system for admin purposes it is still best practice to use a limited account for the interactive logon session and still use run-as for the elevated admin-level account. As such the problem remains.

[jfdoyon]

I'm going through the same headache:

• Install Windows 11
• Windows+X + A (On Windows 10 this launched an Admin PowerShell, on Windows 11, it's Terminal as Admin)
• Terminal will not launch because the Terminal App is not installed for the local admin user account I'm using (Which is actually an AzureAD account that is given local admin privileges "automagically"). Because said user should never log on interactively. Run-as only.
• But I can't for the life of me figure out how to install this app for said admin user without actually logging on!!!!

The solution I thought would work would be to:

• Run powershell as the admin account
• run add-appxpackage as that user

Except add-appxpackage complains the user isn't logged on.

I've been trying to figure out how to "fake a log on" enough that this would work, but so far, no luck.

The run-as commands don't work either. As I understand it, "run as" cannot elevate permissions, and does not bring up UAC.

So this great new utility doesn't work out of the box when being used in a completely normal, commonly used scenario. This borders on a bug IMO.

Anyone reading this figure it out?