How do I manage Windows like Linux/Unix: administrative rights by group membership without accidents and without sharing Administrator password?

First off, only administrators should get admin access so unless there is a HUGE (I can't think of a good one) reason they need it, then it should be left to the admins; there are rare occasions when a regular user gets admin privs, and even then I'm usually skeptical about why they need it.

Second, you can accomplish what you want to do by using Group Membership in Windows. You didn't say that you were using Active Directory so I'm not sure if you have a domain and are doing that, but you can create Security Groups and add individual user accounts to them. See here. I wouldn't add users to the local administrators group on the server individually as this will get messy and be hard to keep track of down the road, and it will make for a lot of headache for you and potential security issues. What I would do, as mentioned above, is to create a Security Group and add the members that you want to have admin access to this group. You'd create two user accounts for your users; one for regular login, and then a 2nd account that was only used for elevated actions. You'd add the users "higher/privileged" account into the Security Group, then, you can put this group in an elevated local group membership on the actual server say Power Users for example. This will allow them to perform a lot of functions without being admins. Sometimes the group will need local admin access and at that point you can put the group into that local admin group on the server.

As far as Run As Administrator, you don't have to do that all the time. The best way to have people run things without knowing the Administrator, or any administrator, password is to use Shift+Right-click and then select Run as different user, or Right-click and Run as Administrator. You'd first want to create a separate user for them that has higher rights, or elevated rights as mentioned above(this elevated user would be added to the Security Group again as mentioned above) as then this user could be used to run things that require elevation all the while being logged in with a normal/standard user account. See my screenshot:

enter image description here

That should take care of what you're wanting to do as far as running things as admin. One final note I might add is to keep UAC on. If you do this, the users will be required to type in their (elevated) password and not an admin password for things that they do on the server. It is a pain when you have to type it in a lot, but for security it's worth it.


Leave their standard account as 'standard'. Create them a privileged second account and add that to the various Administrative groups. Use 'runas' with the privileged account. (You may find it useful to disable interactive logons with the admin account, but then again - this will probably get annoying).