Tips and Tricks

Giving Up Privilege

Learn how to properly manage admin accounts.

Don’t log onto your workstation using an administrative user account. This includes accounts that are members of your computer’s local Administrators group, but especially accounts that are members of all-powerful groups like Domain Admins, Enterprise Admins, Schema Admins and so forth. Sure, you’ll need the special permissions offered by those groups, but create a separate account that belongs to Domain Admins (for example), and use that account for administrative tasks.

I can hear the grumbling now: “This guy has never worked in a real environment. What a hassle two accounts would be!” I know, because I worked in a shop that made admins use dual accounts before the days of Windows 2000, when doing so became practical. That’s right, practical! Win2K, Windows XP and Windows Server 2003 offer alternate credential capabilities that can make following the principle of least privilege —logging on with just enough rights to do what you need—easy and seamless.

Probably the most well-known method of accessing alternate credentials is the Runas command-line tool. For example, typing “Runas mmc.exe /user:AdminDon@domain.com” will launch a blank Microsoft Management Console (MMC) under my administrative account’s privileges, even if I logged on using a non-administrative account. I’d be prompted for the account’s password, and only the MMC would have the elevated permissions. Any other software I launch—like a virus—would still run under my regular, non-admin user account and would do significantly less harm.

But the Runas command isn’t the most convenient thing in the world; having to open a command-line window just to open graphical tools like AD Users & Computers seems like a waste of time. There’s an easier way, though: just right-click. Almost any executable, including Start menu items, can be run under alternate credentials by right-clicking the item and selecting “Run as...” from the context menu (in some versions of Windows you’ll need to hold down the Shift key while right-clicking). When the credentials dialog box appears, select the user account you want, provide the password, and you’re off and running. Again, only that executable will have the permissions of the new account. By the way, if you’re a software developer, the “Run as” technique can be a helpful testing tool: Just run your applications under a normal user account to see if your application will run into any unexpected permissions problems.

Create a Shortcut for
Admin Tasks
Need to run command-line utilities as an administrator? Just create a desktop shortcut to Cmd.exe. The shortcut will open a command-line window, and you can right-click the shortcut to select the “Run as…” menu option, causing Windows to prompt you for the administrative credentials you want to use. You can use the single shortcut with any number of administrative credentials: Domain administrator, Exchange administrator, Enterprise administrator and so on.

But what if you’re too busy to even right-click and select “Run as...”? You can create your own shortcuts that use the “Run as” functionality—meaning, you’ll only need to double-click the new shortcut to, say, AD Users & Computers, instead of the shortcut that comes with Windows. You’ll be prompted for your alternate credentials and able to do all the work needed. Create a shortcut with a command line, “Runas application_ name /user:user@domain.”

And why not log onto your workstation with an administrative account and just run your user apps under alternate, less-powerful credentials? Because that still makes the default credentials too powerful. Default credentials should have as few extra permissions as possible to provide the best security. Log on as a lowly user and give admin permissions just to the applications that require them. Thanks to the “Run as” functionality in Win2K and higher, it’s easy and pretty transparent.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Wed, Mar 10, 2004 Anonymous Anonymous

I think you may be missing the point Anonymous... Don's not saying all apps don't need admin rights, he's saying to ue RUNAS to launch them instead of logging on as an admin user for EVERYTHING. I use XP at work and run TurboTax with RUNAS and it works fine.

Mon, Mar 8, 2004 Anonymous QLD

We are trying to go that way, but I agree with the problem of 'legacy' progs needing admin rights. We want to move to Win XP and Server2003 but it could get worse.

Mon, Mar 1, 2004 Raul Perez West Hatfordd, CT

An excellent piece of information about how to be a good administrator.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.