SU lets you start a process running as an arbitrary user. It is named after the SU (Switch Users) utility of the UNIX family of operating systems.
Providing that the specified domain, user name, and password are correct, the new process runs in the security context of that user.
The new process starts with an environment block representing the per-user environment variables that Windows 2000 maintains. When the new process starts, the registry hive representing the target user, accessed through the HKEY_CURRENT_USER key, is available to the process. Both of these behaviors can be disabled.
The logon type equates to the logon right required by the target user (who was granted the privileges). Furthermore, the logon type dictates how the access token representing the target user is populated. The security identifier (SID) with type SE_GROUP_LOGON_ID in the access token for the new process represents the type of logon: Batch, Interactive, or Service. Logon rights can be granted through the Local Security Policy snap-in, an Administrative Tool included with Windows 2000 (or User Manager, a Resource Kit Tool, for Windows NT version 4.0).
Note
Local Security Policy tells you if local settings are being overridden by settings applied through Group Policy at the site, domain, or organizational unit level. If this is the case, then you will not be able to change them at the local level.
In this release of SU, the caller no longer needs the following privileges:
In order to obtain these privileges before running SU, the user must install a new service-based component used by SU. The service component is encapsulated in the executable Suss.exe, and this is installed by entering the following command at the command prompt:
suss.exe -installYou must be an administrator in order to install the service in this manner. The name of the service installed, as listed in the in the Services snap-in, is SU Service.
Once SU Service is installed, users may use SU without having the four privileges mentioned above. If you are upgrading over an previous installation of SU, you should revoke the above mentioned privileges from any users or groups to whom they were previously granted. You can do this with the Local Security Policy snap-in (or User Manager for Windows NT 4.0).
SU Service can be configured to run in the Local System account or any account that has been assigned the privileges that were previously necessary in the stand-alone version. By default, the service allows anybody to use SU, but that can be regulated by changing the ACL on a particular registry key (the ACL itself will map to whom the service allows to use SU).
Note
If you receive the error "LogonUser error! (rc=1722)" when using SU, you may not have properly installed SU Service from Suss.exe or the service may be stopped. Verify that SU Service is included in the list in the Services snap-in. If its status is not shown as Started on the list, start the service by right-clicking it and then clicking Start. If the service does not appear in the list, please follow the above instructions to install the service.
Most of the functionality of SU is included in RunAs, a command-line tool included with the Windows 2000 operating system. For information on this tool, see Windows 2000 Help. However, SU still includes two features not available in RunAs:
SU Topics
Files Required