Re: Use restricted accounts instead of Admin accounts. Problem with runas and deny logon locally


thank you for your answer.
The idea is to create a local admin account that will be ONLY available for the "run as" command and that will not be able to logon to an interactive session.

Why ?
Because in this situation the user will logon with a basic user account and only needed applications will be launched with admin priviledges (via the RunAS command). So, applications like Internet Explorer, Outlook etc... will not run with admin priviledges.

But ?
But the problem is that I would like to be sure that users will not logon directly with the admin accounts but it seems that the RunAS command need the "logon locally right".

So my question is "How can I force users to use only their basic user account and not the admin account when they logon interactively ?

I hope I am clear enough this time =)


Hello Eric,

If an account is restricted from local logon, how should it work locally? If you really need some user with local elevated permissions, why not using restricted groups and make them power users if this will be enough or local administrator?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!


we would like to secure the way our users are logging on to their

Some of them are travelling a lot; others need to launch a specific
application etc... So I was thinking about creating another user
account for each of them who need one and to configure the policy
"Deny Logon Locally".

So they would have two accounts :
1. The normal account "username" used by default and for the basic
2. The admin account "adm-username" with the "Deny logon locally"
applied to this account to restrict the user to open a session with
this account.

It seems that the "runas" command cannot work if the account used for
the runas doesnt have the "logon locally" right.

So my question is "How can I prevent the "adm-username" account to be
able to logon locally and in the meanwhile to allow this account to
launch programs as admin ?

Thank you



Relevant Pages

  • Re: Lost Administrators password
    ... > administrator password enter, reboot. ... This command changed the Password from ... > account which he forgot the password. ... > Admin account. ...
  • Re: Administrator access denied
    ... When you run the command net user username where username is the logon name ... for your user account it show the account is active. ... Home you can only logon to the built in administrator account in Safe Mode. ...
  • Re: Recovering su password
    ... However, for commands like 'sudo', neither of those are accepted. ... The 'sudo' command always expects the password of the current user. ... account), then the usual reasons are either: ... If you have a second admin account and want to try its password with ...
  • Can only logon as Admin Users passwords invalid
    ... I have Win XP Pro running with the Default Admin account ... password" prompt appeared. ... was off I attempted to logon as any other user and got the ...
  • Re: Auto Login?
    ... You can also tell windows what times they are allowed to logon during. ... If you where to type in this command ... Then the "john" account could only be logged onto Monday thru Friday from 6 ... net user john /TIME:ALL ...