Why you should not run your computer as an administrator

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Why you should not run your computer as an administrator

Running your computer as a member of the Administrators group makes the system vulnerable to Trojan horses and other security risks. The simple act of visiting an Internet site or opening an e-mail attachment can be damaging to the system. An unfamiliar Internet site or e-mail attachment may have Trojan horse code that can be downloaded to the system and executed.

If you are logged on as an administrator of a local computer, a Trojan horse could reformat your hard drive, delete your files, and create a new user account with administrative access. If you are logged on as a member of the Domain Admins group, Enterprise Admins group, or Schema Admins group in Active Directory, a trojan horse could create a new domain user account with administrative access and put schema, configuration, or domain data at risk.

On a local computer, it is recommended that you add your domain user account only to the Users group (and not to the Administrators group) to perform routine tasks, including running programs and visiting Internet sites. When it becomes necessary to perform administrative tasks on the local computer or in Active Directory, use Run as to start a program using administrative credentials.

Run as allows you to accomplish administrative tasks without exposing your computer or data stored in Active Directory to unnecessary risk. For more information, see Using Run as. For more information about how to use Run as, see Run a program with administrative credentials.

If you need to perform administrative tasks, such as upgrading the operating system or configuring system parameters, then log off and log back on as an administrator.