Run as administrator / disable logon locally

[Siberiantiger]

Hi!

Is there a way to prevent users from logging on locally with a spesific local user (first PC login) but still be able to Run as local user after logged on to the PC with a AD user?

 

[logicearth]

To login with Run as requires the ability for one to login into that account locally. You cannot have your cake and eat it as well.

 

[Siberiantiger]

Thanks for your reply. Our case is users that have an active directory user that is not local administrator. But they do have access to a local administrator user on the computer that they can use to run or install certain software that needs admin rights, but we do not want them to only login as the local administrator all times, just when they really need it. So f.eks preventing them from reaching printeres or fileshares when logged on as a local user would be nice. Is this possible or is there any better ideas?

 

[macxs]

Hi Siberiantiger,
same thing here.

I just want to show an option how to prevent people from logging in with local admin.
We created a domain account and

• removed this account from domain users
• add this account to group "local admins"
• make domain group "local admins" member of local group "Administrators"
• script runs daily that changes password (14 chars)
• same script sets the account to expire in 24hrs
• daily password is listed on an intranet site

Additionally a computer script creates a local admin, renews the random password every 2 Months and pushes the password to a SQL DB - in case of emergency.

I was also interested in how to disable interactive logon preserving the ability to elevate rights with this account. Too bad that this is impossible.

HTH