Re: Use restrictec accounts instead of Admin accounts. Problem with runas and deny logon locally

I can see what you mean. You want the users to be able to use an Admin password but not to be able to log on with that account.
Vista UAC sounds like it may be the best you can do. That way the user is prompted for if they really meant to do something, but they are able to do it if they choose.
I think that is the best you are going to do

"Eric" <Eric_m@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.c40d7d96103a5cc8.70874@xxxxxxxxxxxxxxxxxxxxx

we would like to secure the way our users are logging on to their computers.

Some of them are travelling a lot; others need to launch a specific application etc... So I was thinking about creating another user account for each of them who need one and to configure the policy "Deny Logon Locally".

So they would have two accounts :
1. The normal account "username" used by default and for the basic needs
2. The admin account "adm-username" with the "Deny logon locally" applied to this account to restrict the user to open a session with this account.


It seems that the "runas" command cannot work if the account used for the runas doesnt have the "logon locally" right.

So my question is "How can I prevent the "adm-username" account to be able to logon locally and in the meanwhile to allow this account to launch programs as admin ?

Thank you