Re: Deny Interactive Logon but Allow Runas
- From: "HEMI-Powered" <none@xxxxxxx>
- Date: Mon, 29 Oct 2007 13:58:41 GMT
Ben added these comments in the current discussion du jour ...
Hi,
We have a number of consultants who use a piece of very flaky
software, which some times requires
you don't say what this is, but have you considered getting
something un-flaky? unless this is very old legacy software and
there is no newer version, or it is custom-written, or the like,
you may have a problem but if you provide some hints as to what
your users really want to do, maybe somebody could give you an
intelligent suggestion.
uninstalling/re-installing, or having fix-packs installed. AsYou list some rather bizarre and difficult to implement
our users don't have local admin rights they usually have to
come to the IT department, and we put them in a kind of
'maintenance mode' so they can perform the necessary tasks,
this is just basically a group that is a member of the local
admins group. When in the office this isn't a problem.
However, if they are out on site, and they need to reinstall,
this causes problems.
One solution would be to put them 'maintenance mode/local
admin group' for the entire time they are on a client site,
but obviously this opens a number of security holes.
Another solution would be to create a secondary user that does
have local admin rights, and to use this with the runas
command to uninstall/re-install, or perform other admin tasks.
However, I know our users, once they know the username &
password, they will try to login as this user, as its easier
than having to keep using runas, which then opens the same
security holes as putting their standard users in the local
admin group.
Is there someway of allowing a user to logon using runas, but
deny the interactive logon? I've tried enabling 'Deny log on
locally' via GP, but this also denies the user Runas.
Or is there a 3rd way of doing this, that I'm missing? Our
users need to be able to do certain admin functions, such as
re-install software, when on a clients site, to perform their
job properly, however, we don't want them running in admin
mode all the time.
Ben
P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
alternatives but again, wouldn't getting more stable software be
more appropriate?
--
HP, aka Jerry
.
- Follow-Ups:
- References:
- Deny Interactive Logon but Allow Runas
- From: Ben
- Deny Interactive Logon but Allow Runas
- Prev by Date: Re: Windows XP Backup
- Next by Date: Re: Remove Button Missing in Add/Remove
- Previous by thread: Deny Interactive Logon but Allow Runas
- Next by thread: Re: Deny Interactive Logon but Allow Runas
- Index(es):
