Using RUNAS to Clear a Hurdle


April 22, 2011 by Mike Hillwig

Like most companies, mine has to contend with some form of regulatory compliance. In our particular case, it’s Sarbanes-Oxyley 404, better known as SOX.  We have some network policies to enforce compliance with the implementation of SOX. One of those policies is that people with elevated access to key systems have a seperate account for administrative tasks. This means I have two Active Directory accounts, usermike and dbamike. Oh, and of course, I’m not supposed to be logged into my regular workstations with my administrative account. Just to make life a little more interesting, we have a policy that says we don’t do administrative tasks with service accounts, such as SA.

usermike doesn’t have access to crap, especially database servers. Let me put it this way, Claire in Marketing has more access on the network than usermike.

As a DBA, this situation can be hell. When I first started, I was launching a remote desktop session to my SQL servers in order to run SQL Management Studio. The only thing worse than running a remote desktop session to a SQL server is running SSMS in that remote desktop session. When we bought a new SQL tool, I realized that keeping RDC sessions open all day just wasn’t the solution. I went looking for a better solution.

One day, I stumbled accross the RUNAS command.  Basically, from a command line, I can launch an application and state the user that should be used to run the application. In my case, dbamike runs the application. It will prompt me for that user’s password, and off we go.  It looks something like this for SSMS.


runas /user:domain\dbamike "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"


After putting this in a batch file on the desktop, life became a lot simpler. My productivity soared.

Like most things, there is a gotcha. When I attempt to save a file, it will save it in dbamike‘s My Documents folder. That’s because the application is running as dbamike. It also means I can’t open files directly from usermike‘s Outlook mailbox. I have to save it to c:\mike first. It’s an extra step, but the trade-off is wel worth it.

  • Pingback: Log Buffer #217, A Carnival of the Vanities for DBAs | The Pythian Blog()

  • eccentricDBA

    Great tip. I do the same thing. One of the things I do to make my life easier is to setup External Tools under the Tools menu (Tools -> External Tools…) to run the other applications that require me to user my “superman” account.

    Maybe I should call it a “spiderman” account. Because “with great power comes great responsibility” ~Uncle Ben Spiderman

  • Hi,Can the same management seervr(s) monitor both linux/unix seervrs as well as windows ones. Reading about resource pools for Network Monitoring, the resource pool and the management seervrs it contains must be dedicated to Network Monitoring. Is the same true for linux/unix monitoring? In a big distributed monitoring environment this could get expensive if the same management seervrs cannot reside in 2 pools (the all seervrs pool for windows management and the linux/unix resource pool) and do monitoring for both.

  • Which came first, the problem or the solution? Luckily it doesn’t matter.

  • Amanda I so agree! Gossip Girl is one of those shows on TV right now that consistently makes me happier than any other show so I also signed up for my first Birchbox for May and I was also disappointed. I got a different box but all I could think was…Blair Waldorf would never bother with these products. The only thing I liked was the mini Color Club nail polish. Would it have killed them to throw in some makeup? Gossip Girl has great, interesting makeup looks. Thanks for making me feel like I'm not alone in my disappointment. 🙂