When should I log on using the Administrator account?

A. A security best practice dictates that you shouldn't use the Administrator account to perform everyday tasks because of the risks associated with accidentally introducing problems as a result of using elevated privileges. To steer clear of such problems, you should create a regular user account for day-to-day use. Then, when you need to perform a task that requires local or domain administrative privileges, use the Runas command to perform such tasks. This command restricts the administrative abilities to the task that you're performing. For example, to open a command prompt with local administrative privileges, enter the command

runas /user:<local machine>\administrator cmd

To open a command prompt with domain administrative privileges, enter the command

runas /user:[email protected]<domain name> cmd

Be aware that you can use the NetBIOS naming format with this command. For example, to open a command prompt with domain administrative privileges on my network, I typed

runas /user:savilltech\administrator cmd

Any commands that you enter at the new command prompt will run as the user entered in the Runas command with that user's associated privileges.

You can replace "cmd" with any command. For example, to start the Microsoft Management Console (MMC) Computer Management snap-in, type

runas /user:<computer/domain>\<account> "mmc %windir%\system32\compmgmt.msc"

To start the MMC Active Directory Users and Computers snap-in, type

runas /user:<computer/domain>\<account> "mmc %windir%\system32\dsa.msc"

For example, to open this snap-in on my computer, I typed

runas /user:[email protected] "mmc %windir%\system32\dsa.msc"

Be aware that if you run the Runas command on a client computer (e.g., running Windows XP or Windows 2000 Professional Edition), the command will fail unless you've installed the administration tools. Although using the Runas command is slightly more work, you can create shortcuts for each command that you routinely run and make your system much safer. If you experience problems, ensure the Secondary Logon service is running--the Runas command requires this service for operation.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.