Using RunAs to Test Security Privileges

Every now and then I run into scenarios where I want to test whether a specific AD (Active Directory) account has access to a website like the SSRS (SQL Server Reporting Services) web interface via Windows Authentication.

Here is a neat, quick trick to check this scenario. In order for this to work you need to have both the username AND password for the account that you want to test.

1. Open a command prompt

2. Type RunAs /? and hit enter for command help (I tend to forget the specific parameter order and options; this helps jog my memory.)

3. Type RunAs /user:DOMAIN\username "C:\Program Files\Internet Explorer\iexplore.exe" (including double-quotes) and hit enter.

4. You’ll be prompted for the password of the user, enter it carefully (you won’t get any feedback as you enter the password). Hit enter.

5. It should open IE under the context of that user. Now, navigate to your website that uses Windows Authentication and see if the user can get in. (Note: for SSRS use the /Reports url, not /ReportService)

You can also use this same concept to execute other commands, not just opening IE.

Enjoy!