Use restrictec accounts instead of Admin accounts. Problem with runas and deny logon locally

Discussion in 'Server Security' started by Eric, Jun 24, 2009.

  1. Eric

    Eric Guest

    Hello,

    we would like to secure the way our users are logging on to their
    computers.

    Some of them are travelling a lot; others need to launch a specific
    application etc... So I was thinking about creating another user
    account for each of them who need one and to configure the policy "Deny
    Logon Locally".

    So they would have two accounts :
    1. The normal account "username" used by default and for the basic
    needs
    2. The admin account "adm-username" with the "Deny logon locally"
    applied to this account to restrict the user to open a session with
    this account.

    BUT...

    It seems that the "runas" command cannot work if the account used for
    the runas doesnt have the "logon locally" right.

    So my question is "How can I prevent the "adm-username" account to be
    able to logon locally and in the meanwhile to allow this account to
    launch programs as admin ?

    Thank you

    --
    Eric
    Eric, Jun 24, 2009
    #1
    1. Advertising

  2. Hello Eric,

    If an account is restricted from local logon, how should it work locally?
    If you really need some user with local elevated permissions, why not using
    restricted groups and make them power users if this will be enough or local
    administrator?

    Best regards

    Meinolf Weber
    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.
    ** Please do NOT email, only reply to Newsgroups
    ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


    > Hello,
    >
    > we would like to secure the way our users are logging on to their
    > computers.
    >
    > Some of them are travelling a lot; others need to launch a specific
    > application etc... So I was thinking about creating another user
    > account for each of them who need one and to configure the policy
    > "Deny Logon Locally".
    >
    > So they would have two accounts :
    > 1. The normal account "username" used by default and for the basic
    > needs
    > 2. The admin account "adm-username" with the "Deny logon locally"
    > applied to this account to restrict the user to open a session with
    > this account.
    > BUT...
    >
    > It seems that the "runas" command cannot work if the account used for
    > the runas doesnt have the "logon locally" right.
    >
    > So my question is "How can I prevent the "adm-username" account to be
    > able to logon locally and in the meanwhile to allow this account to
    > launch programs as admin ?
    >
    > Thank you
    >
    Meinolf Weber [MVP-DS], Jun 24, 2009
    #2
    1. Advertising

  3. Eric

    Eric Guest

    Re: Use restricted accounts instead of Admin accounts. Problem with runas and deny logon locally

    Hello,

    thank you for your answer.
    The idea is to create a local admin account that will be ONLY available
    for the "run as" command and that will not be able to logon to an
    interactive session.

    Why ?
    Because in this situation the user will logon with a basic user account
    and only needed applications will be launched with admin priviledges
    (via the RunAS command). So, applications like Internet Explorer,
    Outlook etc... will not run with admin priviledges.

    But ?
    But the problem is that I would like to be sure that users will not
    logon directly with the admin accounts but it seems that the RunAS
    command need the "logon locally right".

    So my question is "How can I force users to use only their basic user
    account and not the admin account when they logon interactively ?

    I hope I am clear enough this time =)

    Thanks

    > Hello Eric,
    >
    > If an account is restricted from local logon, how should it work locally? If
    > you really need some user with local elevated permissions, why not using
    > restricted groups and make them power users if this will be enough or local
    > administrator?
    >
    > Best regards
    >
    > Meinolf Weber
    > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    > no rights.
    > ** Please do NOT email, only reply to Newsgroups
    > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >
    >
    >> Hello,
    >>
    >> we would like to secure the way our users are logging on to their
    >> computers.
    >>
    >> Some of them are travelling a lot; others need to launch a specific
    >> application etc... So I was thinking about creating another user
    >> account for each of them who need one and to configure the policy
    >> "Deny Logon Locally".
    >>
    >> So they would have two accounts :
    >> 1. The normal account "username" used by default and for the basic
    >> needs
    >> 2. The admin account "adm-username" with the "Deny logon locally"
    >> applied to this account to restrict the user to open a session with
    >> this account.
    >> BUT...
    >>
    >> It seems that the "runas" command cannot work if the account used for
    >> the runas doesnt have the "logon locally" right.
    >>
    >> So my question is "How can I prevent the "adm-username" account to be
    >> able to logon locally and in the meanwhile to allow this account to
    >> launch programs as admin ?
    >>
    >> Thank you
    >>


    --
    Eric
    Eric, Jun 25, 2009
    #3
  4. Eric,
    I can see what you mean. You want the users to be able to use an Admin
    password but not to be able to log on with that account.
    Vista UAC sounds like it may be the best you can do. That way the user is
    prompted for if they really meant to do something, but they are able to do
    it if they choose.
    I think that is the best you are going to do
    Anthony,
    http://www.airdesk.com



    "Eric" <> wrote in message
    news:...
    > Hello,
    >
    > we would like to secure the way our users are logging on to their
    > computers.
    >
    > Some of them are travelling a lot; others need to launch a specific
    > application etc... So I was thinking about creating another user account
    > for each of them who need one and to configure the policy "Deny Logon
    > Locally".
    >
    > So they would have two accounts :
    > 1. The normal account "username" used by default and for the basic needs
    > 2. The admin account "adm-username" with the "Deny logon locally" applied
    > to this account to restrict the user to open a session with this account.
    >
    > BUT...
    >
    > It seems that the "runas" command cannot work if the account used for the
    > runas doesnt have the "logon locally" right.
    >
    > So my question is "How can I prevent the "adm-username" account to be able
    > to logon locally and in the meanwhile to allow this account to launch
    > programs as admin ?
    >
    > Thank you
    >
    > --
    > Eric
    >
    >
    Anthony [MVP], Jun 25, 2009
    #4
  5. Eric

    Al Dunbar Guest

    Re: Use restricted accounts instead of Admin accounts. Problem with runas and deny logon locally

    "Eric" <> wrote in message
    news:...
    > Hello,
    >
    > thank you for your answer.
    > The idea is to create a local admin account that will be ONLY available
    > for the "run as" command and that will not be able to logon to an
    > interactive session.
    >
    > Why ?
    > Because in this situation the user will logon with a basic user account
    > and only needed applications will be launched with admin priviledges (via
    > the RunAS command). So, applications like Internet Explorer, Outlook
    > etc... will not run with admin priviledges.


    Just to give us an idea, what sorts of applications are being run that need
    local administrator privileges? Might you have the option to modify these so
    that the can be run by an account with regular user privileges?

    > But ?
    > But the problem is that I would like to be sure that users will not logon
    > directly with the admin accounts but it seems that the RunAS command need
    > the "logon locally right".


    Are these users administrators in any other context in your organization? Or
    are they regular users that need privileges just in order to run
    applications that require elevated privileges?

    If they are trusted with other privileged accounts, I'd suspect you would
    only need ask them; if they are regular users, a better bet would be to find
    a way to make the applications run without elevated privileges.

    If you are concerned what havoc they might wreak on a computer or that they
    would have access to other user files when logging in with a privileged
    account, don't forget that logging in interactively is not the only way
    these things can be done.

    > So my question is "How can I force users to use only their basic user
    > account and not the admin account when they logon interactively ?
    >
    > I hope I am clear enough this time =)


    I think you were clear enough the first time. I'm just not sure that what
    you see as your solution is actually possible. It's kind of like the old
    story of the unhittable ball and the unmissable bat. Or maybe it's like the
    question the little kid asked: "if god can do *anything*, can he make a rock
    so heavy that he cannot lift it".

    That said, have you tried your applications to see if they can be run by
    "power users"?

    /Al

    > Thanks
    >
    >> Hello Eric,
    >>
    >> If an account is restricted from local logon, how should it work locally?
    >> If you really need some user with local elevated permissions, why not
    >> using restricted groups and make them power users if this will be enough
    >> or local administrator?
    >>
    >> Best regards
    >>
    >> Meinolf Weber
    >> Disclaimer: This posting is provided "AS IS" with no warranties, and
    >> confers no rights.
    >> ** Please do NOT email, only reply to Newsgroups
    >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >>
    >>
    >>> Hello,
    >>>
    >>> we would like to secure the way our users are logging on to their
    >>> computers.
    >>>
    >>> Some of them are travelling a lot; others need to launch a specific
    >>> application etc... So I was thinking about creating another user
    >>> account for each of them who need one and to configure the policy
    >>> "Deny Logon Locally".
    >>>
    >>> So they would have two accounts :
    >>> 1. The normal account "username" used by default and for the basic
    >>> needs
    >>> 2. The admin account "adm-username" with the "Deny logon locally"
    >>> applied to this account to restrict the user to open a session with
    >>> this account.
    >>> BUT...
    >>>
    >>> It seems that the "runas" command cannot work if the account used for
    >>> the runas doesnt have the "logon locally" right.
    >>>
    >>> So my question is "How can I prevent the "adm-username" account to be
    >>> able to logon locally and in the meanwhile to allow this account to
    >>> launch programs as admin ?
    >>>
    >>> Thank you
    >>>

    >
    > --
    > Eric
    >
    >
    Al Dunbar, Jun 26, 2009
    #5
  6. Eric

    Eric Guest

    I had an idea that consist to change the "Shell" in
    HKeyUser\SId\Software\Microsoft\Windows NT\CurrentVersion\Winlogon from
    explorer.exe to "shutdown -l".

    So the admin user has the right to open the session but the session
    will close immediately :)

    (I know that, as it is an admin, he could change the value to
    explorer.exe).

    Now my problem is ... I think that the admin account has to have
    already opened a session one time on the computer to let me add the
    "Shell" key.

    Moreover this value has to be added for every different admin account
    on every possible computers in the domain (or by restriting the admin
    account for the user only to his specific computer ?).

    If you have some advices, please let me know :)

    Thanks

    > Eric,
    > I can see what you mean. You want the users to be able to use an Admin
    > password but not to be able to log on with that account.
    > Vista UAC sounds like it may be the best you can do. That way the user is
    > prompted for if they really meant to do something, but they are able to do it
    > if they choose.
    > I think that is the best you are going to do
    > Anthony,
    > http://www.airdesk.com
    >
    >
    >
    > "Eric" <> wrote in message
    > news:...
    >> Hello,
    >>
    >> we would like to secure the way our users are logging on to their
    >> computers.
    >>
    >> Some of them are travelling a lot; others need to launch a specific
    >> application etc... So I was thinking about creating another user account
    >> for each of them who need one and to configure the policy "Deny Logon
    >> Locally".
    >>
    >> So they would have two accounts :
    >> 1. The normal account "username" used by default and for the basic needs
    >> 2. The admin account "adm-username" with the "Deny logon locally" applied
    >> to this account to restrict the user to open a session with this account.
    >>
    >> BUT...
    >>
    >> It seems that the "runas" command cannot work if the account used for the
    >> runas doesnt have the "logon locally" right.
    >>
    >> So my question is "How can I prevent the "adm-username" account to be able
    >> to logon locally and in the meanwhile to allow this account to launch
    >> programs as admin ?
    >>
    >> Thank you
    >>
    >> -- Eric
    >>
    >>


    --
    Eric
    Eric, Jul 3, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stefan Helmig

    runas /user:USER problem and a strange behavior of runas

    Stefan Helmig, Jan 28, 2007, in forum: Windows Vista Administration
    Replies:
    1
    Views:
    387
    B-rad
    Jan 31, 2007
  2. Guest

    Re: Deny logon locally

    Guest, Apr 3, 2004, in forum: Active Directory
    Replies:
    0
    Views:
    405
    Guest
    Apr 3, 2004
  3. youssef

    How to deny log on locally

    youssef, Feb 13, 2006, in forum: Active Directory
    Replies:
    1
    Views:
    2,641
    Cary Shultz
    Feb 13, 2006
  4. Ravs
    Replies:
    5
    Views:
    839
  5. Kim K

    Deny logon locally

    Kim K, Apr 22, 2009, in forum: Active Directory
    Replies:
    12
    Views:
    2,188
    Ace Fekay [Microsoft Certified Trainer]
    Apr 23, 2009
Loading...

Share This Page