I've looked into this further, and it is not going to happen in KiXcrypt

The CreateProcessAsUser() call requires security a security token provided by LogonUser(). This can only be a local (machine) login. To run stuff in a network user environment requires a client/server approach, which is why su.exe requires the "suss" service. Requests are send to the login server which I assume either executes calls in a local context (on the server), or executes LogonUser() locally and then returns security tokens that can be used by the client to start processes.

To implement this would require me to write a secure client server product which is well beyond the remit of KiXcrypt.

Best option is to get MS to fix SU.EXE for XP [Frown]

While looking into this I found a third-party su here:
http://www.stefan-kuhr.de/supsu/main.php3
At least this one is actively supported [Razz]