TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Roy Mayo
When:
28 Sep 2010 12:42 PM
Last revision by
Maheshkumar S Tiwari
When:
10 Sep 2013 9:30 AM
Revisions:
4
Comments:
7
Options
Subscribe to Article (RSS)
Share this
Engage!
Wiki Ninjas Blog
(
Announcements
)
Wiki Ninjas on Twitter
TechNet Wiki Discussion Forum
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
Best Practices: Using a Separate Account for Admin Tasks
Best Practices: Using a Separate Account for Admin Tasks
Article
History
Best Practices: Using a Separate Account for Admin Tasks
It’s been my observation that in most organizations administrators use their normal user account for admin tasks. The account is made a member or Domain Admins, DNS Admins, Exchange Admins, or whatever admin group grants the appropriate level of permissions for their role. I would like to make the case for using a separate account for admin tasks.
When using a single account for normal user login and admin tasks the first thing that comes to mind is all of the Group Policy settings associated with that account. They could include drive mappings, software installation, scripts, etc. that would apply when you log on to a computer. You wouldn’t want to have all of these apply when you log on an infrastructure server or a Domain Controller.
Another argument is that you will likely be logged in all day. Even the most security conscious person can step away and forget to lock the keyboard. I hate to admit it but I have done this, and when I returned 4 minutes later a co-worked had tinkered with my system as a joke. Danger isn’t always lurking in the next cubical, but there is an undeniable risk.
OK you concede, but then I would have to log off my normal user account and log on my admin account every time I need to do something. Not so! Fortunately in Windows XP there is a feature known as “Run As” that will allow an administrator to log in with a normal user account and, when necessary, execute *.exe or *.msc consoles with their admin account (shift +right click “Run as”). “Run as” was removed in Vista but
ShellRunas
can be downloaded from Technet Sysinternals.
When you need to log into a server remotely using RDP “Run as” isn’t necessary, you merely login with your admin credentials.
Returning to the example above, if you walk away from your system and leave a console window open having a separate admin account really doesn’t help. You should only open an admin console (.msc) when needed and close it when finished. The same is true for remote sessions.
Keep in mind that if you decide to use a separate account for admin tasks, where ever you place it in your OU structure to make certain it is not receiving unnecessary Group Policies.
I hope this information is useful.
ShellRunas
http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx