Deny Interactive Logon but Allow Runas

Hi,

We have a number of consultants who use a piece of very flaky software,
which some times requires uninstalling/re-installing, or having fix-packs
installed. As our users don't have local admin rights they usually have to
come to the IT department, and we put them in a kind of 'maintenance mode'
so they can perform the necessary tasks, this is just basically a group that
is a member of the local admins group. When in the office this isn't a
problem. However, if they are out on site, and they need to reinstall, this
causes problems.

One solution would be to put them 'maintenance mode/local admin group' for
the entire time they are on a client site, but obviously this opens a number
of security holes.

Another solution would be to create a secondary user that does have local
admin rights, and to use this with the runas command to
uninstall/re-install, or perform other admin tasks.

However, I know our users, once they know the username & password, they will
try to login as this user, as its easier than having to keep using runas,
which then opens the same security holes as putting their standard users in
the local admin group.

Is there someway of allowing a user to logon using runas, but deny the
interactive logon? I've tried enabling 'Deny log on locally' via GP, but
this also denies the user Runas.

Or is there a 3rd way of doing this, that I'm missing? Our users need to be
able to do certain admin functions, such as re-install software, when on a
clients site, to perform their job properly, however, we don't want them
running in admin mode all the time.

Ben

P.S We're running Windows XP SP2, on a Win 2003 R2 Domain


.

Relevant Pages

  • Re: Deny Interactive Logon but Allow Runas
    ... There are third party runas ... As our users don't have local admin rights they usually have to ... users in the local admin group. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: local admin account password
    ... What I think would be a better scheme is to set a very complex* random ... This eliminates the vulnerability created by weak admin passwords ... Do you think if someone wanted to break the local admin account they ...
    (Focus-Microsoft)
  • Re: Opinions needed on Windows Administrative Rights
    ... >> CAN'T GIVE USERS ANY RIGHTS! ... Issuing local admin privs is dangerous because: ... A lot of new viruses first go after anti-viruses by stopping the process ...
    (comp.security.misc)
  • Re: Permissions issue with users in Domain Users not able to see p
    ... You will only need to add them to the local admin group ... if they need to be a local admin or not. ... Yes adding the domain users to the local ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: How can I change the admin password of all our XP PCs on the doma
    ... You don't go to each workstation and check if that user changed the local admin password. ... If the box has a problem that means you can't use a domain admin account to logon, it is usually quicker to rebuild than troubleshoot. ... If you want to control the Local Administrators on the workstations, just disable the Local Administrator, and then use another GPO or Script that adds a existing security group in your AD as member of the local Administrators on the workstations. ...
    (microsoft.public.windows.server.active_directory)