Re: Deny Interactive Logon but Allow Runas

HP,

The software is a piece of IBM software, and it would be nice if the
software were less flaky, or if there were a 3rd part alternative, I've
suggested this on a number of occasions. However we're an IBM business
partner, and tied in to using the specific piece of software in question.

I don't personally use the software, but I've been told by the guys that do,
that occasionally an install can become 'corrupt' and needs re-installing. I
don't know how true this is, the user who told me isn't the greatest end
user. The users may also need to install a fix-pack, which you have to be an
admin to install. One of the problems is they may go to a site, and find the
client has version 6 of the software, with fix pack 2, so they need to get
the install on their laptop to the same level as the client, this way any
'modeling' you do is guaranteed to work. But the next day they might go on
another site and find the client running v5.3 with fix pack 6.

We've tried virtualisation, running VMware, and giving the users local admin
rights to the virtual machine, which they can then install and uninstall
until their hearts content, however, this bit of software is so memory
hungry, that you have to have at least 4gb of RAM installed, with minimum
2gb dedicated to the VM to be able to run it anywhere smoothly enough to be
able to work on it.

What I'd 'like' is to say users can't install ANY software except this, this
and this. I don't know whether software restriction policies would be a
workable option, maybe we could add the install files hash or something..

Ben

"HEMI-Powered" <none@xxxxxxx> wrote in message
news:Xns99D8657CCA8AEReplyScoreID@xxxxxxxxxxxxxxxx
Ben added these comments in the current discussion du jour ...

Hi,

We have a number of consultants who use a piece of very flaky
software, which some times requires

you don't say what this is, but have you considered getting
something un-flaky? unless this is very old legacy software and
there is no newer version, or it is custom-written, or the like,
you may have a problem but if you provide some hints as to what
your users really want to do, maybe somebody could give you an
intelligent suggestion.

uninstalling/re-installing, or having fix-packs installed. As
our users don't have local admin rights they usually have to
come to the IT department, and we put them in a kind of
'maintenance mode' so they can perform the necessary tasks,
this is just basically a group that is a member of the local
admins group. When in the office this isn't a problem.
However, if they are out on site, and they need to reinstall,
this causes problems.

One solution would be to put them 'maintenance mode/local
admin group' for the entire time they are on a client site,
but obviously this opens a number of security holes.

Another solution would be to create a secondary user that does
have local admin rights, and to use this with the runas
command to uninstall/re-install, or perform other admin tasks.

However, I know our users, once they know the username &
password, they will try to login as this user, as its easier
than having to keep using runas, which then opens the same
security holes as putting their standard users in the local
admin group.

Is there someway of allowing a user to logon using runas, but
deny the interactive logon? I've tried enabling 'Deny log on
locally' via GP, but this also denies the user Runas.

Or is there a 3rd way of doing this, that I'm missing? Our
users need to be able to do certain admin functions, such as
re-install software, when on a clients site, to perform their
job properly, however, we don't want them running in admin
mode all the time.

Ben

P.S We're running Windows XP SP2, on a Win 2003 R2 Domain

You list some rather bizarre and difficult to implement
alternatives but again, wouldn't getting more stable software be
more appropriate?

--
HP, aka Jerry


.

Relevant Pages

  • RE: Anonymous Web based printing for standard users
    ... local admin group, login and install the printeras the user, then remove ... them from the admin group. ... > which the printer is installed, either using IPP or RPC. ... > creates a local queue which requires local admin rights and with RPC it does ...
    (microsoft.public.inetserver.iis)
  • Re: Client Installation Issues: SMS 2.0 SP5
    ... Log on locally as LOCAL admin and install. ... Log on Locally as domain user who has LOCAL admin rights. ... The SMS Service account IS a domain admin ...
    (microsoft.public.sms.setup)
  • Re: trying to install advanced client
    ... For push install, the Admin$ share is 'required'. ... If you can't do push, you might want to try group policy. ... It is a classified network and every-time I do a client install ...
    (microsoft.public.sms.setup)
  • Re: Adv client install fails when Local Admin
    ... IIRC, what is needed permissions wise is Local admin, which you already ... the Advanced Client network access account. ... Have you configured an Advanced Client Network Access Account? ... > the user is a Local admin and attempting to install. ...
    (microsoft.public.sms.setup)
  • Re: trying to install advanced client
    ... In a locked down network, group policy is usually the only automated method ... All other methods depend on either the admin$ share to be present, ... > For push install, ... It is a classified network and every-time I do a client ...
    (microsoft.public.sms.setup)