Step-by-Step Guide to Using Secondary Logon in Windows 2000
This technical step-by-step guide provides examples of using the secondary logon feature, the Run as service, in the Windows® 2000 operating system. Secondary logon allows administrators to avoid having to log on with an administrative account for each task. Instead, secondary logon enables administrators to log on with an ordinary user account and then start trusted administrative tools in the context of the administrator's account without logging off. A user with multiple credentials can start applications under different credentials without needing to log off.
On This Page
Using Secondary Logon Features
Until now, one of the biggest problems with security has been that administrators log on to various computers using the administrator account, and perform privileged and non-privileged operations from the same logon session. This is generally done because it is far more convenient to log on once and complete all needed operations than to constantly log on and off, depending on the task being performed. This makes computers susceptible to Trojan horse attacks. Simply running an Internet browser and accessing a non-trusted Web site can be damaging to the system if done from an administrative context. The Web page may have Trojan horse code that can be downloaded to the system. If executed in the administrative context, these can potentially reformat a disk, delete all files, create a new user with administrative access, and so on.
The secondary logon capability in the Windows® 2000 operating system addresses this problem by providing a way to start applications in different security contexts without having to log off. This capability is provided using the Run as service.
Secondary logon allows administrators to log on to a non-administrative account and still be able to perform administrative tasks by running trusted administrative applications in an administrative context. Secondary logon requires system administrators to have two user accounts: a regular account that has basic user rights and security, and an administrative account that can be different for each administrator or shared among administrators.
This feature is primarily intended to allow system administrators to separate administrative operations from user level operations. Additionally, any user with multiple accounts can start applications under the different account contexts without needing to log off.
This technical guide introduces you to the Run as service and its associated tools.
Prerequisites and Requirements
There are no prerequisites: you don't need to complete any other step-by-step guide before starting this guide. You need one machine running either Windows 2000 Professional or Windows 2000 Server. For the most current information about hardware requirements and compatibility for servers, clients, and peripherals, see the Check Hardware and Software Compatibility page http://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/default.asp on the Windows 2000 Web site.
Using Secondary Logon Features
Activating the Run As Service
The Run as service starts automatically after a clean install of the Windows 2000 operating system. However, if this service is not currently running, use the following steps to start the service.
Log on using an account with administrative privileges.
Right-click My Computer and click Manage.
Click Services and Applications, and then double-click Services in the window shown in Figure 1 below.
Figure 1: Select Services
Double-click RunAs Service. The RunAs Service Properties dialog box appears.
Select Automatic in the Startup type drop-down list box so that you do not have to restart this service each time you reboot.
Click the Start button to use the service immediately. Click OK to close the dialog.
Using Secondary Logon with a Normal User Account
Before performing these steps, create an ordinary user account named JoeUser, using Local Users and Groups (on workstations and stand-alone servers) or the Active Directory Users and Groups tool (on a domain controller). For this guide, you can use the default administrator account as the administrative account. If you went through the "Installing a Windows 2000 Server as a Domain Controller" guide, you can use one of the users that were created there instead of creating a new one.
If you do not know how to create a user account, see the Windows 2000 Online Help http://windows.microsoft.com/windows2000/en/server/help/ or the guide mentioned above. After you create the account, log off the administrator account and log on using the ordinary user account.
To use secondary logon to start the Add/Remove Hardware tool:
From the Start menu, point to Settings, and then click Control Panel.
Try to start the Add/Remove Hardware tool by double-clicking the icon. Because you are running in a normal user security context, you should receive an error message explaining that you do not have sufficient privileges to start this tool. Click OK to close this dialog box.
Select the Add/Remove Hardware tool by using a single left-click on the icon.
Hold down the Shift key and right-click the Add/Remove Hardware icon. Note the Run as option appears on the menu.
Click Run as. The Run As Other User dialog box shown in Figure 2 appears.
Figure 2: Run As Other User
Type the administrator name and password in the appropriate fields. Note that the domain name can also be changed. Click OK.
The Add/Remove Hardware Wizard starts. Click the Cancel button to close the wizard.
To use an .msc File to Start a Microsoft Management Console (MMC):
Note: This example uses an existing MSC file, diskmgmt.msc, but any .msc file can be started in a different security context using this method.
Using Windows Explorer, copy the file diskmgmt.msc to your desktop. Diskmgmt.msc can be found in the WINDIR\SYSTEM32 subdirectory. By default, this directory is \WINNT\SYSTEM32, located on the boot partition.
Use a single left-click to select the file on your desktop.
Hold down the Shift key, and right-click the diskmgmt icon.
Click Run as on the context menu. The Run As Other User dialog box appears.
Type the administrator name and password in the appropriate fields. Click OK. A new MMC console appears with the Disk Management snap-in loaded.
This snap-in is now running in administrative context. In most cases, system administrators will want to create custom MMC consoles that contain frequently used administrative snap-ins, and then run them using secondary logon. For more about MMC consoles, see the Step-by Guide to the Microsoft Management Console http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/mmcsteps.mspx.
To start an application in an administrative context:
Note: This example uses the Notepad application, but you can open any Windows application in an alternate security context using this method.
Using Windows Explorer, copy the file Notepad.exe to your desktop. Notepad.exe can be found in the \WINDIR\ directory. By default, this directory is \WINNT\, located on the boot partition.
Click the Notepad icon on the desktop to select it.
Hold down the Shift key and right-click the Notepad icon.
Select the Run as command. The Run As Other User dialog box appears.
Type the administrator name and password in the appropriate fields. Click OK. Notepad should now start up.
Note: There is no indication of which security context this application is running in. This is because Windows applications define their own title text that cannot be manipulated by the caller. This can cause some confusion, if you start up multiple processes in different contexts.
To start a shortcut in an administrative context:
Note: The following method will work on shortcuts of .exe files and shortcuts of registered file types, such as .txt, .doc, and .msc.
Create a shortcut to the Diskmgmt program that you created in the previous example: right-click the Diskmgmt icon, and then click Create Shortcut.
Use a single left-click to select the Shortcut to diskmgmt icon on your desktop.
Hold down the Shift key and right-click the Shortcut to diskmgmt icon.
Click the Run as command. The Run As Other User dialog box appears.
Type the administrator name and password in the appropriate fields. Click OK. This will launch another MMC console with the Disk Management snap-in loaded.
You can also configure a shortcut to always use alternate credentials when the shortcut is opened.
To configure this option:
Close any open MMC consoles.
Select the Shortcut to diskmgmt icon.
Right-click the icon, and select Properties.
On the Shortcut page, select the Run as different user check box shown in Figure 3.
Figure 3: Shortcut Dialog
Click OK to close the Properties dialog box.
Double-click the Shortcut to diskmgmt icon to open the console.
The Run As Other User dialog box appears. Complete the appropriate fields, and click the OK button.
Note: This technique can be used for any shortcuts that you create and always need to run under a different security context.
To start a command prompt in the local computer administrative context:
From the Start menu, click Run.
runas /user:machine name\administrator cmd
where machine name is the name of your computer.
A console window appears to prompt you for the password for the machine name\administrator account. Type the password, and then press Enter.
A new console window starts, running in the administrative context. The title of the console will clearly state running as machine name\administrator. You can now start any command-based administrative programs from this console window.
Running Secondary Logon Using Other Security Contexts
The previous examples show the use of secondary logon to run administrative tools in an administrative context. The feature does not preclude starting applications and tools in other security contexts, some of which may have limited capabilities. The feature is general enough to allow running any application or tool in any security context as long as:
You can provide the appropriate account credentials for the alternate context.
The alternate context includes the ability to log on locally to the system.
The application or tool is available on the system and is accessible when working in the alternate context.
Limitations and Solutions
If you attempt the examples above and the results are not as expected, one of the following solutions may resolve the issue.
Run as service is not started. Refer to the section "Activating the Run as Service," to start the service.
The credentials supplied may not be correct. Verify the credentials by logging off and logging on as that user from the initial Windows logon screen. If the logon fails because of a bad password or because the account doesn't have access to the current system, then secondary logon will have the same security constraints.
An .exe will not start. You might be trying to start an .exe from a network path but the credentials used to connect to the network path are not the same as the one being used to start the .exe. The credentials used to start the .exe may not have access to the network path. First start the Windows 2000 command prompt using Run as, then use the Net Use command to reconnect to the network path, and then start the .exe.
Certain applications are launched indirectly by the shell. This includes tools such as Control Panel, the Printers utility, and so on. Because the shell is started in the primary security context during initial logon, any process launched from the shell remains in that security context. Either start the application using the Run as menu option discussed above or shut down the existing shell and restart in the administrative security context, as explained next.
To run the Explorer shell in an administrative security context:
Start Task Manager. Right-click the Task bar, and then click Task Manager.
Click the Processes tab.
Select explorer.exe, and then click the End Process button.
Click Yes on the warning pop-up message. The entire desktop disappears; however, any applications that you have started are still running (including Task Manager).
Click the Applications tab.
Click the New Task button.
runas /user: machine/domain name\administrator explorer.exe
A console window appears and prompts for the password. Minimize Task Manager, type the password, and press Enter.
The desktop returns, including the task bar, shortcuts, Startup folder items, and so on. Perform any required administrative tasks. For example, from the Start menu, click Settings, and then click Control Panel. This starts up the Control Panel in an administrative context.
When you are finished, log off the administrator account. A new shell should automatically start, running in the original JoeUser context.
The example company, organization, products, people, and events depicted in these step-by-step guides are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.
The Microsoft Active Directory™ structure for this common infrastructure is designed to show how Microsoft Windows 2000 features work and function with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization—for such information see the Active Directory documentation.
Step-by-Step Guide to a Common Infrastructure for Windows 2000 Server Deployment:
Installing a Windows 2000 Server as a Domain Controller http://www.microsoft.com/windows2000/techinfo/planning/server/serversteps.asp
Windows 2000 Server Online Help http://windows.microsoft.com/windows2000/en/server/help/
Windows 2000 Planning and Deployment Guide http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2rkbook/dpg.asp
Exploring Management Services http://www.microsoft.com/windows2000/technologies/management/default.asp
Windows 2000 Pro Help http://windows.microsoft.com/windows2000/en/professional/help/