local administravtive users & UAC

local administravtive users & UAC

Post by andy_ » Thu, 22 Nov 2007 22:16:13

Long post, but I think it's better to have some background and understand
what I'm trying to achieve.

XP environment:
Most users are happy to run as power users, and get applications installed
for them via group policy. Some users though need to have the ability to
install applications, and for these users I create a local administrative
user and tell them to use it to install applications. However what ends up
happening is they login as that admin user to install applications and often
end up logging in as the admin user all day every day.

Again most users will be happy as a power user, getting applications
installed for them via group policy. Some users will need to install
applications and for them I would like to create a local administrative
user. BUT to prevent them from logging in as that user I want to disable the
ability for that user to login interactively. The idea being that the user
will be prompted for admin credentials by the UAC, they enter them and the
software installs. They CANNOT login to windows as the local admin user so
have to run windows as their power user.

So the task is to try to deny a user the right to logon to windows, but
still allow the user's credentials be used in the UAC. I have tried setting
the policy "Computer Configuration\Windows Settings\Security Settings\User
Rights Assignment\Deny log on locally" and this prevents the user logging in
to windows, but it also stops the credentials being usable in the UAC.

Any thoughts?

local administravtive users & UAC

Post by f/fgeorg » Thu, 22 Nov 2007 23:11:01

Sounds like you need a Server, it has lots of logon account variables
that you can set.


local administravtive users & UAC

Post by andy_ » Thu, 22 Nov 2007 23:18:32

These PCs are all part of a Windows 2003 active directory, the question
refers to a local user on workstations within a domain


local administravtive users & UAC

Post by SmVzcGV » Fri, 23 Nov 2007 02:36:01

have a few comments on this. Overall, I would suggest you deny elevation
for Standard Users, which forces them to use Fast User Switching to an
administrative account instead. I am very puzzled why you wish to try to
prevent that. If the problem is that users will log on with their
administrative account I think your problem is better solved by enforcing an
organizational security policy.

1. UAC elevation is a local logon. Therefore, if you deny local logon you
also deny UAC elevation.
2. It is FAR more secure to use FUS to run elevated processes than it is to
elevate them within the existing standard user desktop. It is kind of a pain,
but if you do not need to do it very often it is a much better option.
3. Power Users are equivalent to Standard Users in Vista. They have almost
no permissions that Standard Users do not have.
4. Power Users on XP is functionally equivalent to Administrators. It
provides no security whatsoever to make a user a Power User instead of an
Administrator. At best it prevents them from very easily shooting themselves
in the foot, but even that is not true in all cases.
Your question may already be answered in Windows Vista Security:

" XXXX@XXXXX.COM " wrote:


local administravtive users & UAC

Post by DevilsPG » Fri, 23 Nov 2007 08:32:27


I haven't tested this, but if you used group policies to replace the
shell with logoff.exe, that would probably do the trick.

The shell doesn't get called by UAC logins, but does get called if the
user tries to login a desktop session.

local administravtive users & UAC

Post by andy_ » Fri, 23 Nov 2007 18:57:15

hanks for the reply. At my organization the security policy is a general
document that talks about principles rather than a lengthy volume with
specifics like this.

As for the book , its the one I read before I posted the question. :-)

"Jesper" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


local administravtive users & UAC

Post by andy_ » Fri, 23 Nov 2007 19:00:20

It's crazy enough. It might just work.

Thanks I will try.

local administravtive users & UAC

Post by DevilsPG » Sat, 24 Nov 2007 08:56:10

In message <eu43# XXXX@XXXXX.COM > < XXXX@XXXXX.COM >

My favourite kind of solution :) Let me know how it goes...