Re: Use restrictec accounts instead of Admin accounts. Problem with runas and deny logon locally
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Wed, 24 Jun 2009 20:12:12 +0000 (UTC)
If an account is restricted from local logon, how should it work locally? If you really need some user with local elevated permissions, why not using restricted groups and make them power users if this will be enough or local administrator?
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
we would like to secure the way our users are logging on to their
Some of them are travelling a lot; others need to launch a specific
application etc... So I was thinking about creating another user
account for each of them who need one and to configure the policy
"Deny Logon Locally".
So they would have two accounts :
1. The normal account "username" used by default and for the basic
2. The admin account "adm-username" with the "Deny logon locally"
applied to this account to restrict the user to open a session with
It seems that the "runas" command cannot work if the account used for
the runas doesnt have the "logon locally" right.
So my question is "How can I prevent the "adm-username" account to be
able to logon locally and in the meanwhile to allow this account to
launch programs as admin ?
- Prev by Date: Disable System Restore on Server 2008?
- Next by Date: Re: Disable System Restore on Server 2008?
- Previous by thread: Use restrictec accounts instead of Admin accounts. Problem with runas and deny logon locally
- Next by thread: Re: Use restricted accounts instead of Admin accounts. Problem with runas and deny logon locally