Re: Use restrictec accounts instead of Admin accounts. Problem with runas and deny logon locally




Hello Eric,

If an account is restricted from local logon, how should it work locally? If you really need some user with local elevated permissions, why not using restricted groups and make them power users if this will be enough or local administrator?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hello,

we would like to secure the way our users are logging on to their
computers.

Some of them are travelling a lot; others need to launch a specific
application etc... So I was thinking about creating another user
account for each of them who need one and to configure the policy
"Deny Logon Locally".

So they would have two accounts :
1. The normal account "username" used by default and for the basic
needs
2. The admin account "adm-username" with the "Deny logon locally"
applied to this account to restrict the user to open a session with
this account.
BUT...

It seems that the "runas" command cannot work if the account used for
the runas doesnt have the "logon locally" right.

So my question is "How can I prevent the "adm-username" account to be
able to logon locally and in the meanwhile to allow this account to
launch programs as admin ?

Thank you



.