Network Administration: RunAs Command

The RunAs command is very useful in administering a Windows Server 2008 network. The RunAs command lets you run a program from a command prompt using the credentials of another user account. Here’s the basic syntax:

runas /user:username [other parameters] program

For example, to run the Microsoft Management Console with the dom1 domain’s administrator account, you can use this command:

runas /user:dom1administrator mmc

Assuming that the username is valid, you’ll be prompted for the user’s password. Then, the program will be run using the specified user’s account.

Here are some of the parameters you can use with the RunAs command:

  • /user: Specifies the domain and username. You can use one of two forms to specify the domain and username: domainusername or username@domain.

  • /profile: Specifies that the user’s profile should be loaded. (This option is on by default, so you don’t have to explicitly specify it.)

  • /noprofile: Doesn’t load the user’s profile. Although this can cause the application to load more quickly, it can also prevent some applications from functioning properly.

  • /env: Uses the current environment instead of the user’s.

  • /netonly: Indicates that the user account isn’t valid in the current domain. (If you use /netonly, the username must be specified in the form domainusername; the username@domain form won’t work.)

  • /savecred: Saves the password so it has to be entered only the first time the RunAs command is used.

    The /savecred parameter is an extremely bad idea, as it creates a gaping security hole. In short, once you’ve used /savecred, any user at the computer can use the RunAs command to run any program with administrator privileges.

  • /smartcard: Specifies that the user’s credentials will be supplied by a smartcard device.