HOW TO: Prevent Users From Submitting Alternate Logon Credentials in Windows 2000

This step-by-step article describes how to prevent users from submitting alternate logon credentials. You may want to do this because of the "Runas" feature. The "Runas" feature was introduced in Microsoft Windows 2000, and an administrator who is logged on with a regular user account could use it to type in a user name and password that has administrative privileges in order to install programs.

Preventing Users Alternate Logon Credentials

It is a best practice for administrators not to use their administrative accounts for routine use, as being logged on with this high level of privileges when not needed poses a security risk. However, many programs cannot be installed except by a member of the administrative group. The ability to supply administrative credentials when needed, without having to log off and log back on, is a welcome convenience. The Install Program as Other User dialog box prompts a user to enter alternate credentials.

However, in a high-security environment, you may not want to provide this "second chance" to a user who tries to install a program without authorization. You can prevent the Install Program as Other User dialog box from appearing when a user attempts to install a program on the local computer (users are not prompted by default to provide alternate credentials when installing a program from a location on another computer on the network).

To prevent the alternate credentials logon option, you will need to use a Windows 2000 Group Policy. Microsoft has provided a built-in administrative template to make it easy to accomplish this task. You can apply the policy to the users in a site, domain or organizational unit. To do so:

1. Create or edit the applicable group policy. For example, if you want this to be a domain-wide policy, you can edit the default domain policy by clicking Start, pointing to Administrative Tools, clicking Active Directory Users and Computers, and then right-clicking the domain name. Click Properties, click the Group Policy tab, click the default domain policy, and then click Edit to open the group policy console.
2. In the left pane of the Group Policy console, expand the User Configuration node.
3. Expand Administrative Templates, and then expand Windows Components.
4. Click the Windows Explorer folder.
5. In the right console pane, double-click Do not request alternate credentials.
6. By default, this policy is not configured. To prevent the request for alternate credentials, click Enabled, and then click OK.

When this policy is enabled, users will no longer be prompted to provide administrative credentials to install a program. Instead, installation is attempted with the credentials with which the user is currently logged on. If the account does not have sufficient credentials, the installation will fail.