quote:

---

SU for Windows NT v2.99 Jun 4 1997 10:01:43
(c) Copyright 1995, 1996, 1997 by Scott Field (sfield@microsoft.com)

Usage: su <User> "[cmdline]" [domain] [[Winsta\]Desktop] [options]
-cb do not create new console (do not use with redirected passwords)
-dn do not switch to new desktop if one was specified
-e disables environment preparation (Inherit parent environment)
-g force GUI option prompting with supplied commandline arguments
-l disables loading of the user registry hive (use .Default)
-v verbose output to stdout
-w do not wait on child (registry hive will remain loaded)

One of the following logon types may be specified. Default is interactive.
-b batch, target user needs SeBatchLogonRight
-i interactive, target user needs SeInteractiveLogonRight
-s service, target user needs SeServiceLogonRight
-n network, target user needs SeNetworkLogonRight (WinNT 4.0 only)

Not specifying a cmdline invokes the default command processor (%comspec%)
Not specifying a domain causes account lookup in the following order:
Well-known, built-in, local accounts, primary domain, trusted domains
Specifying . as the domain limits the LogonUser search to the local machine
Not specifying Winsta\Desktop launches child on current Winsta\Desktop
Winsta0\Default is the user default interactive Windowstation and desktop

---

well.
I recommend that you first create admin user. that you can set disabled when not needed (for security)
then do su call (syntax above) for xcopy.
place them in the bat/cmd file.
use bat2exec (found by clicking this bat2exec - at home.wanadoo.nl) which translates bat files to exe's so syntax can't be seen.
after that use secure21 (found also on the same site secure21.zip)
it crypts the exe file.
this crypted exe can then be used in normal logonscripts.