Standard user accounts do not have administrator level permissions on servers. Privileged (PR) Accounts must be used when remoting into servers or performing other Administrator level tasks. These accounts must be requested by the user, and approved by the user's manager and IT admins. Managers may also request an account on the user's behalf.
Intended Audience
Users who need Remote Desktop (RDP) access into servers or need perform other administrative tasks on servers.
Step-by-step guide
Request your PR Account
PR accounts are requested in the Employee Directory System Access.
Prerequisites: You must already have a CWF Computer account and DUO account before you can request a PR account.
- Browse to http://employeedirectory/SystemAccessForm.mvc
- Click "Add System Access"
- Managers may request a PR account for their direct reports by going to My Employees and selecting System Access on the line next to the user who needs it.
- Scroll down to Server Access and select the type of access you need. If you need an access type that is not listed, please open a new JIRA ticket specifying the servers you need access to. If you work outside of IT, you should most likely select "Server Access -Other".
- Your new request will show up in a green box. Make sure you click Submit to complete the request
- The request will routed to your manager and the group manager for approval.
- When all approvals are complete, you receive an email with the account name and password. This may take up to 24 hours.
Test Your PR Account
- Open a Remote Desktop Connection to a server you have local admin rights on.
- Use whatever RDP tool/method you are comfortable with
- If the connection defaults to or has saved your normal windows credentials, connect as a different user, and input your PR credentials
- If you do not get DUO prompt, submit a JIRA ticket, specifying that you did not get a DUO when accessing a server.
- Confirm your RDP session is using the PR account using method a or b.
- Many of our servers use a program called bginfo to display system information on the desktop background. The logon account will be displayed with this info, and it should be your PR account.
- Open a command prompt and run “whoami”. The results should display your PR account name.
- If either of these methods do not display your PR account name, double check your RDP settings and make sure they are not using saved credentials or your workstation ‘current user’ credentials.
- Many of our servers use a program called bginfo to display system information on the desktop background. The logon account will be displayed with this info, and it should be your PR account.
- Change your PR account password in the RDP session using one of the following methods
- Press Ctrl-Alt-END
- Run this in powershell in the RDP session:
(New-Object -COM Shell.Application).WindowsSecurity() - Open the On-Screen Keyboard (osk.exe). Press and hold Ctrl-Alt on your keyboard, then click Del in the onscreen keyboard
Additional notes about using PR accounts:
- Do NOT use them to log on to your workstation.
- Do NOT use them in Outlook, Teams, or any Office365 application.
- Do NOT use them for VPN connections.
- Do NOT share them with anyone, ever.
- Do NOT register for SSPR with this account. Change the password using one of the methods in step 3 above, or have ITOPS reset it to a temporary password.
Related articles
There is no content with the specified labels