Re: Use restricted accounts instead of Admin accounts. Problem with runas and deny logon locally





"Eric" <Eric_m@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.ca4e7d963c95abd5.70874@xxxxxxxxxxxxxxxxxxxxx
Hello,

thank you for your answer.
The idea is to create a local admin account that will be ONLY available for the "run as" command and that will not be able to logon to an interactive session.

Why ?
Because in this situation the user will logon with a basic user account and only needed applications will be launched with admin priviledges (via the RunAS command). So, applications like Internet Explorer, Outlook etc... will not run with admin priviledges.

Just to give us an idea, what sorts of applications are being run that need local administrator privileges? Might you have the option to modify these so that the can be run by an account with regular user privileges?

But ?
But the problem is that I would like to be sure that users will not logon directly with the admin accounts but it seems that the RunAS command need the "logon locally right".

Are these users administrators in any other context in your organization? Or are they regular users that need privileges just in order to run applications that require elevated privileges?

If they are trusted with other privileged accounts, I'd suspect you would only need ask them; if they are regular users, a better bet would be to find a way to make the applications run without elevated privileges.

If you are concerned what havoc they might wreak on a computer or that they would have access to other user files when logging in with a privileged account, don't forget that logging in interactively is not the only way these things can be done.

So my question is "How can I force users to use only their basic user account and not the admin account when they logon interactively ?

I hope I am clear enough this time =)

I think you were clear enough the first time. I'm just not sure that what you see as your solution is actually possible. It's kind of like the old story of the unhittable ball and the unmissable bat. Or maybe it's like the question the little kid asked: "if god can do *anything*, can he make a rock so heavy that he cannot lift it".

That said, have you tried your applications to see if they can be run by "power users"?

/Al

Thanks

Hello Eric,

If an account is restricted from local logon, how should it work locally? If you really need some user with local elevated permissions, why not using restricted groups and make them power users if this will be enough or local administrator?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hello,

we would like to secure the way our users are logging on to their
computers.

Some of them are travelling a lot; others need to launch a specific
application etc... So I was thinking about creating another user
account for each of them who need one and to configure the policy
"Deny Logon Locally".

So they would have two accounts :
1. The normal account "username" used by default and for the basic
needs
2. The admin account "adm-username" with the "Deny logon locally"
applied to this account to restrict the user to open a session with
this account.
BUT...

It seems that the "runas" command cannot work if the account used for
the runas doesnt have the "logon locally" right.

So my question is "How can I prevent the "adm-username" account to be
able to logon locally and in the meanwhile to allow this account to
launch programs as admin ?

Thank you


--
Eric





.



Relevant Pages

  • Re: Authenticating a user on Windows Server 2003
    ... > missing privileges (by privileges I mean rights on the acct i.e. does the ... > client user acct have interactive logon privileges and other necessary ... > Are you able to execute "runas" successfully as the user account (with the ...
    (microsoft.public.platformsdk.security)
  • Can only logon as Admin Users passwords invalid
    ... I have Win XP Pro running with the Default Admin account ... password" prompt appeared. ... was off I attempted to logon as any other user and got the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How good is Comodo Internet Security?
    ... Admin account + web browser + LUA token ... admin account opposed of running as iam now, which is JUST PURE admin level? ... While LUA gives added security, ... payload delivered by a buffer overrun (assuming the app was allowed to ...
    (comp.security.firewalls)
  • Re: IIS Admin service access denied
    ... logon to the Admin account, rebooted the box, changed it back to the system ... logon and everything worked fine. ... >> Have you changed the password for the system logon account recently? ...
    (microsoft.public.windows.server.sbs)
  • Re: domain admin account impersontating
    ... i guees that the bottom line is that the domain admin account can be ... with the same username and password. ... Starting with Windows XP this became less simple, ...
    (microsoft.public.windows.server.security)