Pat Spencer

As part of securing access to Active Directory, and following the Least Privileges Principle, it has been a goal of mine to be able to run all Administrative Tasks on a Management workstation while only logging in to the workstation using a generic, minimum Privileges user account. While most management consoles can be launched in a "RUNAS" mode, it has been an Achilles Heel that it has always been thought that you could not run Windows Explorer in a RUNAS.   This prevents you from doing File System Permission management. Well, my genius friend (who is an absolute wizard at Google Searches) has found an answer. Follow the step below to do it.  Start the Registry Editor as an Administrative User. Navigate to, take ownership of, and grant yourself Full Control permission to the key  HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2} (This is "Elevated-Unelevated Explorer Factory") Rename the value  RunAs  to  _RunAs . Close Regedit. runas /user:domain\use

I am sure that everyone who administrates AD runs into this problem at some point. Here is an article that thoroughly lays it all out. http://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx The summary of this article is, that if you want to find out the TRUE last logon activity for a user, it is best to use the command Search-ADAccount -AccountInactive -DateTime ((get-date).adddays(-90)) -UsersOnly If you are ONLY interested in dates that are more than 14 days ago, then you can safely use the "LASTLOGONDATE" attribute.   Less than 14 days of viewing and you cannot rust this attribute.  You must get fancy and query all of the DC's individually.