Hello, we would like to secure the way our users are logging on to their computers. Some of them are travelling a lot; others need to launch a specific application etc... So I was thinking about creating another user account for each of them who need one and to configure the policy "Deny Logon Locally". So they would have two accounts : 1. The normal account "username" used by default and for the basic needs 2. The admin account "adm-username" with the "Deny logon locally" applied to this account to restrict the user to open a session with this account. BUT... It seems that the "runas" command cannot work if the account used for the runas doesnt have the "logon locally" right. So my question is "How can I prevent the "adm-username" account to be able to logon locally and in the meanwhile to allow this account to launch programs as admin ? Thank you