Microsoft KB Archive/325371

= HOW TO: Prevent Users from Submitting Alternate Logon Credentials to Install a Program in Windows Server 2003 =

PSS ID Number: 325371

Article Last Modified on 12/19/2003

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition

-



This article was previously published under Q325371



For a Microsoft Windows 2000 version of this article, see 310360.

IN THIS TASK

 * SUMMARY
 * ** How to Prevent Users from Submitting Alternate Logon Credentials to Install a Program



SUMMARY
This step-by-step article describes how to prevent users from submitting alternate logon credentials to install a program in Windows Server 2003.

You may want to do this because of the &quot;Run as&quot; feature. This feature allows a user with multiple accounts to run a program, Microsoft Management Console (MMC), or Control Panel tool with alternate credentials. For example, an administrator who is logged on with a regular user account can use it to type a user name and password that has administrative permissions to install programs.

back to the top

How to Prevent Users from Submitting Alternate Logon Credentials to Install a Program
It is a best practice for administrators not to use their administrative accounts for routine use. Logging on by using this high level of permissions when they are not needed poses a security risk. However, many programs can be installed only by an administrator. The Install Program as Other User dialog box prompts a user to type alternate credentials. This dialog box appears when users who are not logged with administrative credentials try to install programs locally on their computers. This ability to supply administrative credentials when needed, without having to log off and log back on, is a welcome convenience.

However, in a high-security environment, you may not want to provide this &quot;second chance&quot; to a user who tries to install a program without the right permissions. You can prevent the Install Program as Other User dialog box from appearing when a user tries to install a program on the local computer. (By default, users are not prompted to provide alternate credentials when installing a program from a location on another computer on the network.)

To prevent the alternate credentials logon option, you must use a group policy. Microsoft has provided a built-in administrative template to make it easy to do this task. You can apply the policy to the users in a site, domain, or organizational unit (OU). To do so:  Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Create or edit the applicable group policy. For example, if you want to implement a domain-wide policy, edit the Default Domain Policy. To do so:  Right-click the domain name, and then click Properties. Click the Group Policy tab, click Default Domain Policy, and then click Edit.  In the console tree, expand User Configuration. Expand Administrative Templates, and then expand Windows Components.</li> Click Windows Explorer.</li> In the right pane, double-click Do not request alternate credentials.</li> Click Enabled to prevent the request for alternate credentials, and then click OK.</li> Close the Group Policy Object Editor window, click OK, and then quit the Active Directory Users and Computers snap-in.</li></ol>

When this policy is enabled, users are no longer prompted to provide administrative credentials to install a program. Instead, installation is tried with the credentials with which the user is currently logged on. As a result, the installation may fail, or may complete but not include all features. Or, installation may appear to complete successfully, but the installed program may not operate correctly.

back to the top back to the top

Additional query words: kbsecurity

Keywords: kbMgmtServices kbhowto kbHOWTOmaster KB325371

Technology: kbWinServ2003Data kbWinServ2003Data64bit kbWinServ2003Data64bitSearch kbWinServ2003DataSearch kbWinServ2003Ent kbWinServ2003Ent64bit kbWinServ2003Ent64bitSearch kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.