Runas
Applies To: Windows Server 2003, Windows Vista, Windows XP, Windows HPC Server 2008 R2, Windows Server 2008, Windows 7, Windows Server 2003 R2, Windows Server 2000, Windows Server 2012, Windows Server 2003 with SP1, Windows 8
Allows a user to run specific tools and programs with different permissions than the user's current logon provides.
Runas is a command-line tool that is built into Windows Vista. To use runas at the command line, open a command prompt, type runas with the appropriate parameters, and then press ENTER.
In the user interface for Windows Vista, the Run as… command has been changed to Run as administrator. However, you should rarely have to use the Run as administrator command because Windows Vista will automatically prompt you for an administrator password when it is needed.
For examples of how this command can be used, see Examples.
Syntax
runas [{/profile | /noprofile}] [/env] [{/netonly | /savecred}] [/smartcard] [/showtrustlevels] [/trustlevel] /user:<UserAccountName> "<ProgramName> <PathToProgramFile>"
Parameters
Parameter |
Description |
---|---|
/profile |
Loads the user's profile. This is the default. This parameter cannot be used with the /netonly parameter. |
/no profile |
Specifies that the user's profile is not to be loaded. This allows the application to load more quickly, but it can also cause a malfunction in some applications. |
/env |
Specifies that the current network environment be used instead of the user's local environment. |
/netonly |
Indicates that the user information specified is for remote access only. This parameter cannot be used with the /profile parameter. |
/savecred |
Indicates if the credentials have been previously saved by this user. This parameter is not available and will be ignored on Windows Vista Home or Windows Vista Starter Editions. This parameter cannot be used with the /smartcard parameter. |
/smartcard |
Indicates whether the credentials are to be supplied from a smartcard. This parameter cannot be used with the /savecred parameter. |
/showtrustlevels |
Displays the trust levels that can be used as arguments to /trustlevel. |
/trustlevel |
Specifies the level of authorization at which the application is to run. Use /showtrustlevels to see the trust levels available. |
/user:<UserAccountName> "<ProgramName> <PathToProgramFile>" |
Specifies the name of the user account under which to run the program, the program name, and the path to the program file. The user account name format should be <User>@<Domain> or <Domain>\<UserAccountName>. |
/? |
Displays help at the command prompt. |
Remarks
Enter the user's password only when prompted.
It is good practice for administrators to use an account with restrictive permissions to perform routine, nonadministrative tasks, and to use an account with broader permissions only when performing specific administrative tasks. To accomplish this without logging off and back on, log on with a regular user account, and then use the runas command to run the tools that require the broader permissions.
The use of runas is not restricted to administrator accounts, although that is the most common use. Any user with multiple accounts can use runas to run a program, MMC console, or Control Panel item with alternate credentials.
If you want to use the Administrator account on your computer, for the /user: parameter, type one of the following:
**/user:<**AdministratorAccountName>@<ComputerName>
**/user:<ComputerName>\<**AdministratorAccountName>
If you want to use this command as a domain administrator, type one of the following:
**/user:<AdministratorAccountName>@<**DomainName>
**/user:<**DomainName>\<AdministratorAccountName>
With the runas command, you can run programs (*.exe), saved MMC consoles (*.msc), shortcuts to programs and saved MMC consoles, and Control Panel items. You can run them as an administrator while you are logged on to your computer as a member of another group, such as the Users or Power Users group.
You can use the runas command to start any program, MMC console, or Control Panel item. As long as you provide the appropriate user account and password information, the user account has the ability to log on to the computer, and the program, MMC console, or Control Panel item is available on the system and to the user account.
With the runas command, you can administer a server in another domain or forest (the computer from which you run a tool and the server you administer are in different domains or forests).
If you try to start a program, MMC console, or Control Panel item from a network location using runas, it might fail because the credentials used to connect to the shared network resource are different from the credentials used to start the program. The latter credentials may not be able to gain access to the same shared network resource.
Some items, such as the Printers folder and desktop items, are opened indirectly and cannot be started with the runas command.
If the runas command fails, the Secondary Logon service might not be running or the user account you are using might not be valid. To check the status of the Secondary Logon service, in Computer Management, click Services and Applications, and then click Services. To test the user account, try logging on to the appropriate domain using the account.
Group Policy is not processed for the user whose credentials are supplied to the runas command. This is by design. The runas command can load the user profile of the secondary user whose identity is being used to create the process, and that user profile may contain registry keys and values from previous interactive logons when Group Policy was processed for that user. However, the runas command also contains a /noprofile switch that bypasses the loading of the user profile, so that behavior should not be relied upon. User GPO is only processed for users who log on interactively to their own desktops by using the logon user interface.
Examples
The following command starts an instance of the command prompt as an administrator on the local computer:
runas /user:<localmachinename>\administrator cmd
When prompted, type the administrator account password.
The following command starts an instance of the Computer Management snap-in using a domain administrator account called contoso\domainadmin:
runas /user:contoso\domainadmin "mmc %windir%\system32\compmgmt.msc"
When prompted, type the domain administrator account password.
The following command starts an instance of Notepad (and a file named my_file.txt) using a domain administrator account called jayj in a domain called domain.contoso.com:
runas /user:jayj@domain.contoso.com "notepad my_file.txt"
When prompted, type the domain administrator account password.
The following command starts an instance of a command prompt window, saved MMC console, Control Panel item, or program that will administer a server in another forest:
runas /netonly /user:<Domain>\<User_Name> "<Command>"
<Domain>\<User_Name> must be a user with sufficient permissions to administer the server. When prompted, type the account password.