Administering a Domain Without Logging On as Administrator

\[Editor's Note: Do you have something to share with other Windows NT Magazine readers? We want to know about it. Write for Reader to Reader online, and you can tell others about your NT discoveries, comments, problems, solutions, and experiences. Email your contributions (700 words or less) to [email protected] along with your name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.\]

Most articles on Windows NT security tell you that you should never log on using an administrator account unless you have administrative duties to perform, and that in such cases you should log out and log on again as a regular user as soon as you're done. This approach is great if you have two computers on your desk, but for the rest of us, it can be a real drag. However, not following this sage advice can invite a lot of trouble. First, there's the potential to leave a session open as administrator that another user could be use for malicious or prank use. New Internet Explorer (IE) exploits emerge every week, and unless you take the time to download and install all those patches, you potentially put your whole domain at risk. Second, there's the potential for a virus to make use of the elevated privileges of the current account. Finally, this approach can help you prevent simple human error. If you only bring up these administrative tools when you need them, you'll reduce the chance of doing something silly or worse. By opening the administrative tools on an as-needed basis, you'll force yourself to slow down and hopefully think about what you're doing.

Fortunately, The Microsoft Windows NT Server 4.0 Resource Kit offers an easy fix to let you easily log on and log off with administrator privileges. (By the way, the Resource Kit is a must for any administrator.) First, run

suss.exe -install 

to install the SU service. Next, copy shortcuts for the various NT utilities you want to use (e.g., Server Manager, User Manager) from the Administrative Tools folder. Finally, go into the properties of each icon and change the shortcut from %SystemRoot%\system32\usrmgr.exe to C:\NTRESKIT\SU.EXE adminid "usrmgr" -w (where adminid is the ID of the administrative user).

When you click your new icon for User Manager, for example, a command prompt will appear and prompt you for a password. Type the password for the administrative ID you just specified, and User Manager will open with administrative privileges. Make sure that you don't already have an ID on the local machine that matches the administrative ID you're trying to use; otherwise, the machine will try to log you on locally. I spent a lot of time trying to find a way around this situation, but ended up eventually just renaming the local administrator ID to admin.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.