How to RunAs with NetOnly and SaveCred Simultaneously for Persistent Remote Authentication


2 views

Windows administrators frequently encounter this scenario: You need to execute processes under alternate credentials (runas) with remote authentication (/netonly) while avoiding repetitive password prompts (/savecred). The native Windows runas command frustratingly prevents combining these essential flags.

The technical constraint stems from how Windows handles credential storage. /savecred stores credentials in the Windows Credential Manager for local processes, while /netonly specifies remote-only authentication. Microsoft deliberately blocks their combination due to security implications of storing network credentials persistently.

Here are three reliable approaches I've tested in enterprise environments:

1. Scheduled Task with Saved Credentials

schtasks /create /tn "RemoteAppTask" /tr "C:\\path\\app.exe" /sc ONSTART /ru domain\user /rp password /rl HIGHEST

2. PowerShell Alternative

Start-Process -FilePath "cmd.exe" -Credential (Get-Credential) -ArgumentList "/c C:\path\app.exe" -LoadUserProfile -NoNewWindow

Combine with this to save credentials securely:

$cred = Get-Credential
$cred.Password | ConvertFrom-SecureString | Set-Content "C:\secure\cred.txt"

When implementing persistent authentication:

  • Always store credentials in secure locations (DPAPI, Credential Manager)
  • Limit saved credentials to specific applications
  • Rotate credentials regularly
  • Audit credential usage through Windows Event Logs

For production environments, consider these robust alternatives:

  • Group Managed Service Accounts (gMSA)
  • Just-in-Time Privilege solutions
  • Third-party tools like CyberArk or Thycotic

Windows' runas command has two particularly useful switches:

runas /netonly /user:DOMAIN\username program.exe
runas /savecred /user:DOMAIN\username program.exe

The frustration comes when you need both functionalities: remote authentication (/netonly) with credential persistence (/savecred). Microsoft deliberately prevents combining these flags due to security considerations.

Here are three proven methods to achieve the desired outcome:

1. Scheduled Tasks Approach

Create a scheduled task with stored credentials:

schtasks /create /tn "RemoteAppTask" /tr "program.exe" /sc ONCE /sd 01/01/1980 /st 00:00 /ru DOMAIN\username /rp PASSWORD /rl HIGHEST

Then execute it on demand:

schtasks /run /tn "RemoteAppTask"

2. PowerShell Alternative

A more flexible solution using PowerShell:

$cred = Get-Credential
Start-Process "program.exe" -Credential $cred -LoadUserProfile -NoNewWindow -WorkingDirectory "C:\path\to\app" -ArgumentList "/netonly"

To persist credentials securely:

$cred | Export-CliXml -Path "C:\secure\path\cred.xml"

3. Third-Party Tools

Consider these specialized utilities:

  • PsExec from Sysinternals
  • AutoIt for credential automation
  • Windows Credential Manager API integration

When implementing these solutions:

  • Always store credentials in secure locations
  • Use appropriate file system permissions
  • Consider encrypting credential stores
  • Regularly rotate stored credentials

For larger deployments, consider:

# Group Policy Preference for mapping drives with stored credentials
# Requires proper ACLs on the XML files
<DriveMap clsid="{...}">
  <Properties action="U" userContext="1" userName="DOMAIN\user" 
    password="AES-encrypted-password" path="\\server\share"/>
</DriveMap>