Use restrictec accounts instead of Admin accounts. Problem with runas and deny logon locally

Discussion in 'Server Security' started by Eric, Jun 24, 2009.

  1. Eric

    Eric Guest


    we would like to secure the way our users are logging on to their

    Some of them are travelling a lot; others need to launch a specific
    application etc... So I was thinking about creating another user
    account for each of them who need one and to configure the policy "Deny
    Logon Locally".

    So they would have two accounts :
    1. The normal account "username" used by default and for the basic
    2. The admin account "adm-username" with the "Deny logon locally"
    applied to this account to restrict the user to open a session with
    this account.


    It seems that the "runas" command cannot work if the account used for
    the runas doesnt have the "logon locally" right.

    So my question is "How can I prevent the "adm-username" account to be
    able to logon locally and in the meanwhile to allow this account to
    launch programs as admin ?

    Thank you
    Eric, Jun 24, 2009
    1. Advertisements

  2. Hello Eric,

    If an account is restricted from local logon, how should it work locally?
    If you really need some user with local elevated permissions, why not using
    restricted groups and make them power users if this will be enough or local

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Jun 24, 2009
    1. Advertisements

  3. Eric

    Eric Guest


    thank you for your answer.
    The idea is to create a local admin account that will be ONLY available
    for the "run as" command and that will not be able to logon to an
    interactive session.

    Why ?
    Because in this situation the user will logon with a basic user account
    and only needed applications will be launched with admin priviledges
    (via the RunAS command). So, applications like Internet Explorer,
    Outlook etc... will not run with admin priviledges.

    But ?
    But the problem is that I would like to be sure that users will not
    logon directly with the admin accounts but it seems that the RunAS
    command need the "logon locally right".

    So my question is "How can I force users to use only their basic user
    account and not the admin account when they logon interactively ?

    I hope I am clear enough this time =)

    Eric, Jun 25, 2009
  4. Eric,
    I can see what you mean. You want the users to be able to use an Admin
    password but not to be able to log on with that account.
    Vista UAC sounds like it may be the best you can do. That way the user is
    prompted for if they really meant to do something, but they are able to do
    it if they choose.
    I think that is the best you are going to do
    Anthony [MVP], Jun 25, 2009
  5. Eric

    Al Dunbar Guest

    Just to give us an idea, what sorts of applications are being run that need
    local administrator privileges? Might you have the option to modify these so
    that the can be run by an account with regular user privileges?
    Are these users administrators in any other context in your organization? Or
    are they regular users that need privileges just in order to run
    applications that require elevated privileges?

    If they are trusted with other privileged accounts, I'd suspect you would
    only need ask them; if they are regular users, a better bet would be to find
    a way to make the applications run without elevated privileges.

    If you are concerned what havoc they might wreak on a computer or that they
    would have access to other user files when logging in with a privileged
    account, don't forget that logging in interactively is not the only way
    these things can be done.
    I think you were clear enough the first time. I'm just not sure that what
    you see as your solution is actually possible. It's kind of like the old
    story of the unhittable ball and the unmissable bat. Or maybe it's like the
    question the little kid asked: "if god can do *anything*, can he make a rock
    so heavy that he cannot lift it".

    That said, have you tried your applications to see if they can be run by
    "power users"?

    Al Dunbar, Jun 26, 2009
  6. Eric

    Eric Guest

    I had an idea that consist to change the "Shell" in
    HKeyUser\SId\Software\Microsoft\Windows NT\CurrentVersion\Winlogon from
    explorer.exe to "shutdown -l".

    So the admin user has the right to open the session but the session
    will close immediately :)

    (I know that, as it is an admin, he could change the value to

    Now my problem is ... I think that the admin account has to have
    already opened a session one time on the computer to let me add the
    "Shell" key.

    Moreover this value has to be added for every different admin account
    on every possible computers in the domain (or by restriting the admin
    account for the user only to his specific computer ?).

    If you have some advices, please let me know :)

    Eric, Jul 3, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.