Run Active Directory Management Tools as Another User

How can I run Active Directory management tools as another user (one with administrative privileges)?
As a security best practice, it is recommended that you do not log on to your computer with administrative credentials. Running your computer as a member of the Administrators group makes the system vulnerable to Trojan horses attacks and other security risks.

It is recommended that you use a regular, non-administrative user account to perform routine tasks, including running programs and visiting Internet sites. When it becomes necessary to perform administrative tasks on the local computer or in Active Directory, use RUNAS to start a program using administrative credentials.
RUNAS allows you to accomplish administrative tasks without exposing your computer or data stored in Active Directory to unnecessary risk.
However, using the RUNAS command can turn out as a real bugger when you need to perform regular administrative operations such as adding a new user, resetting someone’s password, stopping or starting a system service and so on.
In Windows 2000 we welcomed the new addition – the RUNAS command. However, in Windows Server 2003 the RUNAS command got even easier to use.

🎬 Watch This Week in IT.


[Note: The runas command remains fully supported in Windows 10, Windows 11, and Windows Server 2016, 2019, and 2022.] Therefore I recommend using the following method to make your administrative tasks a bit easier to accomplish:

  1. When logged in as a normal, non-privileged user, right-click on an empty spot on your desktop and create a new shortcut.

this image has been lost in time

  1. In the Create Shortcut window type the following text (see other examples below):
​runas /savecred /user:dpetri'administrator "mmc dsa.msc"

this image has been lost in time
Note: The /savecred parameter indicates if credentials have been previously used by this user then the command will not prompt for them a second time. This parameter does NOT work on Windows 2000. [Note: /savecred still functions in Windows 10, 11, and Server 2022 but is discouraged in security-sensitive environments due to credential caching.]


Lamer Note: Use your own domain name and user name… Duh…

  1. Give the shortcut a descriptive name such as “AD Users & Computers”

this image has been lost in time
Click Finish.

  1. Double-click your new shortcut. You’ll get a black Command Prompt window asking you for the administrator’s password. If the shortcut was previously used in the current session – no password will be required.

this image has been lost in time

  1. If you gave a valid username and password then Active Directory Users and Computers will now open giving you the full permissions to manage it with admin privileges.

That’s it.
Other valuable RUNAS example might include any .MSC snap-in you want to run. You can easily find them by performing a search on the %systemroot% folder for files that have the .MSC extension. For example:

​runas /savecred /user:dpetri'administrator "mmc domain.msc"
runas /savecred /user:dpetri'administrator "mmc dssite.msc"
runas /savecred /user:dpetri'administrator "mmc dsa.msc"
runas /savecred /user:dpetri'administrator "mmc compmgmt.msc"
runas /savecred /user:dpetri'administrator "mmc gpmc.msc"
runas /savecred /user:dpetri'administrator "mmc services.msc"

[Note: All listed snap-ins are still available in modern Windows versions when RSAT or equivalent roles/features are installed.]

Create shortcuts for these RUNAS commands on the desktop of your non-administrative user account:
this image has been lost in time

FAQs

How can I run Active Directory as a different user without using the RUNAS command?

You can run Active Directory as a different user by using the Shift+Right-click method on any AD tool, selecting “Run as different user,” and entering the alternative credentials. This method provides a quick GUI alternative to command-line solutions.

Is it possible to run Active Directory as a different user in PowerShell?

Yes, you can run Active Directory as a different user in PowerShell using Start-Process cmdlet with the -Credential parameter, allowing you to execute AD commands with alternate credentials while maintaining security protocols.

Can I schedule tasks to run Active Directory as a different user automatically?

Yes, you can use Task Scheduler to run Active Directory as a different user by creating scheduled tasks with specific credentials, enabling automated AD management operations under different user contexts.

What security considerations should I follow when running Active Directory as a different user in a corporate environment?

When you run Active Directory as a different user, always use dedicated admin accounts, implement time-limited credentials, enable auditing for all actions, and ensure the alternate credentials comply with your organization’s security policies.

How do I troubleshoot permission issues when trying to run Active Directory as a different user?

To resolve permission issues when running Active Directory as a different user, verify the account’s membership in appropriate AD groups, check for inherited permissions, and ensure the account has the necessary delegated rights in the target AD domain.

Related articles

You may find these related articles of interest to you: