Cool Tools: The Windows 2000 Secondary Logon

By ServerWatch Staff (Send Email)
Posted Sep 29, 2000


Thomas Shinder

If you've spent much time in a production environment, you are doubtlessly aware of the importance of not using the built-in Administrator account as a working user account. Although there is nothing inherently evil about using this account as your user account, you definitely put yourself in harm's way. You are essentially a kid with a loaded gun while logged in as Administrator, and what might have been trivial lapses in judgment may turn out to be disastrous to the system you're working on.

If youve spent much time in a production environment, you are doubtlessly aware of the importance of not using the built-in Administrator account as a working user account. Although there is nothing inherently evil about using this account as your user account, you definitely put yourself in harms way. You are essentially a kid with a loaded gun while logged in as Administrator, and what might have been trivial lapses in judgment may turn out to be disastrous to the system youre working on.

When you're logged on as Administrator, you are running at a higher level of privilege that if you used a normal user account. Even if you didn't do something stupid, you could inadvertently visit a malicious web page that contains code harmful to your system. And since that code isn't fettered by limitations of the logged on account, it can do nasty things like reformat your disk or send interesting database files to the attacker.

The RunAs Service Saves the Day

The solution to this problem has been to use a normal user account that provides the level of access required to get your normal work done. When you need to perform administrative tasks, you log off and then log on as Administrative, or a member of the Administrators group.

This sounds easy, and it is. However, you'll quickly tire of the logging on and off and then back on again just to accomplish the most mundane of administrative tasks. This is where the RunAs service comes in and saves the day.

Windows 2000 provides the user the ability to run programs under another user context. Thus, if you need to perform a task that requires administrator rights and permissions, you can access the required program by using the RunAs Service.

How Do I Make It Work?

The easiest way to invoke the RunAs service is to hold down the SHIFT key and then right click on the program or shortcut that you want to run in the different user context. For example, suppose you want to run some command line utilities in an administrative context. All you need to do is find the command prompt shortcut in the Start menu, hold down the SHIFT key on the keyboard, and then right click on the shortcut as seen below.

After invoking the RunAs service by this method, you'll see the following dialog box:

Just type in the name, password and domain (or local computer name if you wish to use a local administrator account) and the program runs in the context of the new user credentials.

I Hate GUIs, Can I Do This From The Command Line?

Yes! You can accomplish the same feats from the command line. To invoke the RunAs command from the command line, do the following:

1. Open the command prompt. At the command prompt enter the following:

runas /user:[domain\username] [command]

or for a local administrative account:

runas /user:[machine_name\username] command

2. After running this command, a line will appear in the command console that says:

Enter password for [domain\username]:

3. Enter your password. This keystrokes will not be echoed. If you make a mistake you will get the error:

RUNAS ERROR: Unable to run - explorer.exe
1326: Logon failure: unknown user name or bad password.

4. If you end up typing a bad name or password, go back to step 1 and begin again.

The RunAs command is a very handy tool for the busy admin that doesn't want to waste time logging on and off. Give it a try today!

For More Information:

For more information on the RunAs command, check out this Step-by-step guide at the Microsoft Site.

For more information on the details of the Secondary Logon and other administrative procedures, check out Windows 2000 Server System Administration Handbook.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.