Local Admin Account with Deny Logon Locally

S

sergeykuz

Hi,
I am trying to create an account that would allow certain users
install software on their XP SP2 desktops. I don't want them to use
the account to logon in the morning but rather have them supply its
credentials in the Run As box when they run software or patch
installation files. I created an account and created a GPO for the
Test OU that added it to the Local Admins group, set "Deny Logon
Locally" to "Enabled" and specified the account in the "Logon as a
Service" setting. I applied the GPO and checked to make sure that the
account was now in the Local Admins group. However, when I logon
locally as a regular user and try to install an application using Run
As with the new account's credentials I get the error "Logon failure:
the user has not been granted the requested logon type at this
computer." I guess I was wrong assuming that when you use Run As, the
system does not treat it as a local logon? Is there any other setting
that I should have configured?
Thanks
 
L

Lanwench [MVP - Exchange]

Hi,
I am trying to create an account that would allow certain users
install software on their XP SP2 desktops. I don't want them to use
the account to logon in the morning but rather have them supply its
credentials in the Run As box when they run software or patch
installation files. I created an account and created a GPO for the
Test OU that added it to the Local Admins group, set "Deny Logon
Locally" to "Enabled" and specified the account in the "Logon as a
Service" setting. I applied the GPO and checked to make sure that the
account was now in the Local Admins group. However, when I logon
locally as a regular user and try to install an application using Run
As with the new account's credentials I get the error "Logon failure:
the user has not been granted the requested logon type at this
computer." I guess I was wrong assuming that when you use Run As, the
system does not treat it as a local logon? Is there any other setting
that I should have configured?
Thanks
Click to expand...

It's a local login, yes, so your solution won't work.

You *could* do something a little cheesy - set up a login script for this
domain user so that if someone did log in with it to a workstation, they'd
be logged out of the domain immediately. You could modify the stuff here

http://www.amset.info/windows/limit-logins.asp

.....to do so.
 
A

Anteaus

This might be a useable aternative. It allows a limited user to self-promote
(given an Admin password) and reminds them to de-promote after a reasonable
time has been allowed to do whatever they need.

Since it promotes the user's own account, it avoids the problem of
loss-of-settings inherent in changing account.

It's not at production status yet (bug reports welcome) so use at your own
discretion.

http://mylogon.net/su/
 
S

sergeykuz

It's a local login, yes, so your solution won't work.

You *could* do something a little cheesy - set up a login script for this
domain user so that if someone did log in with it to a workstation, they'd
be logged out of the domain immediately. You could modify the stuff here

http://www.amset.info/windows/limit-logins.asp

....to do so.- Hide quoted text -

- Show quoted text -
Click to expand...

Thanks,
I an trying to write a script now that would log that user off after 3
minutes if logged on locally. That should be enough to initialize an
installation via Run As but inconvenient enough to prevent local
logons.
 
L

Lanwench [MVP - Exchange]

Thanks,
I an trying to write a script now that would log that user off after 3
minutes if logged on locally. That should be enough to initialize an
installation via Run As but inconvenient enough to prevent local
logons.
Click to expand...

But if you log them out when the install is going on, this won't work. The
login script method will keep them from logging in as that account, but will
not fire off when they use RunAs.
 
S

sergeykuz

But if you log them out when the install is going on, this won't work. The
login script method will keep them from logging in as that account, but will
not fire off when they use RunAs.- Hide quoted text -

- Show quoted text -
Click to expand...

Ok, I think I got it done now. I created a little logon script that
checks the user's name at logon and if it is that administrative
account it logs it right off (it's set for 15 seconds). At the same
time it works fine for installations as in the Group Policy it is
combined with adding that account to the Local Admins group on all
computers. One tricky part was having to apply this GPO to the
Computers OU as well as the Users OU that hosts that user account
because of the 2-part GPO settings.
Thanks,
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Deny Logon Locally 6
Logon Locally denied 1
Deny Logon Locally 2
Deny Interactive Logon but Allow Runas 9
Windows 2000 - Local policy - deny logon loccaly 4
user must have account to logon??? 1
"local policy... does not permit you to logon interactively" 3
Stopping some accounts from logging on 1

Top