Long post, but I think it's better to have some background and understand
what I'm trying to achieve.
Most users are happy to run as power users, and get applications installed
for them via group policy. Some users though need to have the ability to
install applications, and for these users I create a local administrative
user and tell them to use it to install applications. However what ends up
happening is they login as that admin user to install applications and often
end up logging in as the admin user all day every day.
Again most users will be happy as a power user, getting applications
installed for them via group policy. Some users will need to install
applications and for them I would like to create a local administrative
user. BUT to prevent them from logging in as that user I want to disable the
ability for that user to login interactively. The idea being that the user
will be prompted for admin credentials by the UAC, they enter them and the
software installs. They CANNOT login to windows as the local admin user so
have to run windows as their power user.
So the task is to try to deny a user the right to logon to windows, but
still allow the user's credentials be used in the UAC. I have tried setting
the policy "Computer Configuration\Windows Settings\Security Settings\User
Rights Assignment\Deny log on locally" and this prevents the user logging in
to windows, but it also stops the credentials being usable in the UAC.