Windows Admin Center and Privileged Accounts

Brass Contributor

Hi.  I understand that Windows Admin Center (WAC) was built to provide a remote set of Windows Server management tools to server administrators to both a) reduce remote logins to servers; b) improve management of server core OS.  

 

How does WAC work when using the principle of "privileged accounts" and separating your admin rights from your regular user account?  We are going through that process as we speak.  In the past, my user account was a domain admin, so if i logged into my desktop work computer, and ran WAC, any management of servers within WAC was being done as myself and i had the rights to do all those things, because i was a domain admin.  Now that i'm not a domain admin, i have to login as somebody else before i can do any admin stuff.  So do i have to run WAC as that other admin user before i use it?  I can't just go to WAC anymore from my desktop PC web browser, because that user cant do anything Admin-related.   Do i need to remote desktop to a second Windows 10 machine as the admin user first, and run WAC from there?  That seems like a lot of steps.  Just curious how people see WAC fitting into the server admins' daily tasks and which accounts are being leveraged (the regular user, the admin user, or both - or neither?).  Any advice or your own experiences would be greatly appreciated.

1 Reply

If you have configured Kerberos delegation between the WAC gateway and managed node, you can launch the Web Browser on your desktop/laptop browser using run-as (shift+right click the executable) and specify the alternate account credentials. You must use Microsoft Edge insider or Chrome for this, since legacy Edge doesn't support run-as.