No announcement yet.

Deny Interactive Logon... But Keep Run-As?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Deny Interactive Logon... But Keep Run-As?

    Pretty much as the title says...

    Is it possible to deny interactive logon to a computer object, but still allow the account to have run-as rights on that same computer object?

    As a security precaution (recently had several out-breaks of Conficker) we have decided to revoke administrative rights from all of our staff accounts... and instead create them separate administrative accounts that they should only use to "run-as" tasks that require those rights.

    Problem is... many staff simply refuse to do this and login directly using the admin account and therefore compromising the security of the system in doing so.

    In GPO there is the option to deny interactive logon... which does exactly what it says but also prevent the run-as feature from working (says that it is ALSO blocked by policy).

    Any idea's on how we can proceed?

  • #2
    Re: Deny Interactive Logon... But Keep Run-As?

    Maybe some random monitoring and management enforcement?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Deny Interactive Logon... But Keep Run-As?

      set their logon shell to run the logoff command ?
      Please do show your appreciation to those who assist you by leaving Rep Point


      • #4
        Re: Deny Interactive Logon... But Keep Run-As?

        Use Computer Configuration / Windows Settings / Security Settings / Local Policy User Rights Assignment
        to set Deny logon locally for this account.

        Thanks to :Jerold Schulman
        Windows Server MVP
        JSI, Inc.