Re: Use restricted accounts instead of Admin accounts. Problem with runas and deny logon locally


thank you for your answer.
The idea is to create a local admin account that will be ONLY available for the "run as" command and that will not be able to logon to an interactive session.

Why ?
Because in this situation the user will logon with a basic user account and only needed applications will be launched with admin priviledges (via the RunAS command). So, applications like Internet Explorer, Outlook etc... will not run with admin priviledges.

But ?
But the problem is that I would like to be sure that users will not logon directly with the admin accounts but it seems that the RunAS command need the "logon locally right".

So my question is "How can I force users to use only their basic user account and not the admin account when they logon interactively ?

I hope I am clear enough this time =)


Hello Eric,

If an account is restricted from local logon, how should it work locally? If you really need some user with local elevated permissions, why not using restricted groups and make them power users if this will be enough or local administrator?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!


we would like to secure the way our users are logging on to their

Some of them are travelling a lot; others need to launch a specific
application etc... So I was thinking about creating another user
account for each of them who need one and to configure the policy
"Deny Logon Locally".

So they would have two accounts :
1. The normal account "username" used by default and for the basic
2. The admin account "adm-username" with the "Deny logon locally"
applied to this account to restrict the user to open a session with
this account.

It seems that the "runas" command cannot work if the account used for
the runas doesnt have the "logon locally" right.

So my question is "How can I prevent the "adm-username" account to be
able to logon locally and in the meanwhile to allow this account to
launch programs as admin ?

Thank you