Windows 2000 (Win2K) includes a Run As command that lets you log on as one user (e.g., a member of the Users group) and run programs as a different user (e.g., a member of the Administrators group). If you work as a network administrator, you’ll appreciate the ability to run programs in a different security context. You can log on with your ordinary user account that doesn’t have special privileges and perform administrative tasks without logging on as an administrator.
The Hazards of Running Your Computer as an Administrator
If you work as a network administrator, you know that you should avoid adding your user account to the Administrators group. And common sense dictates that you should log on as an administrator only if you need to perform tasks that require administrative authority. On a Windows 2000 Professional (Win2K Pro) machine, you can add your account to the Power Users group; members of the Power Users group can make changes to the computer, add printers, install programs, and use most of the Control Panel programs. On a Windows 2000 Server (Win2K Server) system, you can add yourself to the Account Operators or Server Operators group to perform some administrative chores. Several other groups with limited administrative authority exist that you can assign yourself to when you need to have administrative privileges.
Trojan Horses and Other Security Risks
Network and systems administrators shouldn't log on to Win2K computers as administrators to perform routine office tasks such as reading email and working on Word documents. In the Win2K documentation, Microsoft issues clear warnings about the security risks you expose yourself to when you run Win2K as an administrator. For example, you run the risk of inadvertently downloading a Trojan horse, a computer programs that can behave like familiar, benign program but can trick you into providing sensitive information. Trojan horse code can download to your computer when you connect to an unknown site on the Internet. The damage that a Trojan horse can do ranges from creating a user account with administrator privileges to deleting files from your hard drive. Fortunately, Win2K's Run As command helps you minimize the risks to your administrator account.
Run As to the Rescue
With the Run As command, you can log on to your computer with a standard user account and run administrative tools without logging on as an administrator. Let's look at an example of how you can use the command.
Imagine you're logged on with a standard user account and you want to run the Control Panel's Add/Remove Programs applet. The first step is to go to the Control Panel and highlight the Add/Remove icon. Hold down the Shift key and right-click the icon to see the context menu that Screen 1 shows. Select Run As to bring up the Run As Other User screen, where you can enter a different username, password, and domain name. If you want to run Add/Remove Programs as a local administrator, type the name of the local computer in the Domain box; if you want to run the program as the domain administrator, type the name of your domain in the Domain box.
You can use the Run As command with just about any program, including Control Panel items, as long as the user account has the ability to log on locally. You can also use the Run As command with Microsoft Management Consoles (MMCs). It's possible to use the Run As command at the command prompt so you can use it in a batch file. However, you can’t start Windows Explorer or desktop items using Run As.
Tips for Using Run As
You're not limited to using the Run As command as an administrator; you can use it with any user account as long as the Run As service is running. The Run As service allows only password authentication, so any other form of authentication, such a smart-card logon, won't work with Run As.
Finally, here's a suggestion that you might find useful: If you like the system to prompt you for alternate credentials each time you use a certain tool, you can create a shortcut for that tool and select Run as different user in the shortcut’s properties. For example, I have installed all the tools on my Win2K Pro machine I need to manage my Win2K domain. I can log on with my regular user account and run Active Directory Users and Computers as my domain administrator account. To create the shortcut that will work in this situation, you must create a new MMC (if you use the built-in Active Directory Users and Computers MMC, the option you need to use will appear grayed out):
- Start a new MMC and add the Active Directory Users and Computers snap-in. For more information see Getting the Most out of the Microsoft Management Console.
- Save the console, and create a shortcut for it on the desktop.
- Right-click the shortcut icon, and select Properties.
- Check the box Run as different user, as Screen 2 shows.
Now when you launch this shortcut, the system will ask you whether you want to run the tool as a different user, and you can run it as an administrator without logging on as an administrator.