Re: Use restrictec accounts instead of Admin accounts. Problem with runas and deny logon locally




Eric,
I can see what you mean. You want the users to be able to use an Admin password but not to be able to log on with that account.
Vista UAC sounds like it may be the best you can do. That way the user is prompted for if they really meant to do something, but they are able to do it if they choose.
I think that is the best you are going to do
Anthony,
http://www.airdesk.com



"Eric" <Eric_m@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.c40d7d96103a5cc8.70874@xxxxxxxxxxxxxxxxxxxxx
Hello,

we would like to secure the way our users are logging on to their computers.

Some of them are travelling a lot; others need to launch a specific application etc... So I was thinking about creating another user account for each of them who need one and to configure the policy "Deny Logon Locally".

So they would have two accounts :
1. The normal account "username" used by default and for the basic needs
2. The admin account "adm-username" with the "Deny logon locally" applied to this account to restrict the user to open a session with this account.

BUT...

It seems that the "runas" command cannot work if the account used for the runas doesnt have the "logon locally" right.

So my question is "How can I prevent the "adm-username" account to be able to logon locally and in the meanwhile to allow this account to launch programs as admin ?

Thank you

--
Eric


.



Relevant Pages

  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins t
    ... Flaw in Microsoft Domain Account Caching Allows ... Local Workstation Admins to Temporarily Escalate Privileges and Login as ... Cached Domain Admin Accounts ... administrator" is a "bigger" administrator than the local administrator. ...
    (Bugtraq)
  • Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins t
    ... Flaw in Microsoft Domain Account Caching Allows ... Local Workstation Admins to Temporarily Escalate Privileges and Login as ... Cached Domain Admin Accounts ... administrator" is a "bigger" administrator than the local administrator. ...
    (Full-Disclosure)
  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: cant verify disk
    ... She went to DU, and when she pressed "verify disk", it asked her user ... Disk Utility has required an administrator name and password for certain ... This is clearly a task which requires admin privileges, ... seriously mucked up with her user account settings in the NetInfo ...
    (comp.sys.mac.system)