i guys
There is a way to deny interactive logon to a workstation but permit the priviledge escalation(run as)?
I tried with this local GPO
Use Computer Configuration / Windows Settings / Security Settings / Local Policy User Rights Assignment
to set Deny logon locally for this account.
but it does not work because deny also the privilege escalarion or run as...not only the interactive logon. We would need for some Laptop in workgroup
tanks a lot!
GIO
Windows uses group policy to control interactive logon AND the use of "run as." So the policy will not provide you a direct way to restrict one but not the other.
A work around may be where you can force the interactive logon to logoff immediately instead of logging on instead. You can do this with the following:
Create an OU to group your restricted logon accounts. Move the user accounts into this OU.
Create a GPO and apply to the OU
Edit the GPO: User Configuration > Policies > Administrative Template > System
a. set Custom User Interafce to logoff.exe
You will need to run either gpupdate to apply the settings to on the computers you intend to test if you need to verify it quickly.
Cordially,
Ronnie Wong
Edutainer Manager, ITProTV
*if the post above has answered the question, please mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV.
Tanks Ronnie for your help i'll try to implement the solution!!!!
Just to understand .....We have some users with laptop used to develop embedded software that sometimes needs admin right for daily work (ex: configure network or serial ports to connect some instrumentation ) but our supervisor would not want they can login with user with admin right. They should use the standard user and use the admin user only through UAC when they need....
For the moment this kinds of laptop are used in workgroup and from what i have understood the only solution is join the domain and use Group Policy? Is impossible to do that with local account in workgroup?
Tanks a lot and sorry for my English
You will not be able to use the local group policy to implement this workaround.
I cannot think of another way to do what you're required to do. Try the solution as test with just a single machine in this group.
Cordially,
Ronnie Wong
Edutainer Manager, ITProTV
*if the post above has answered the question, please mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV.
I tried to implement the solution and it works!!!!....Tanksssss!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Glad to help! Tell your friends in IT about us! 
Cordially,
Ronnie Wong
Edutainer Manager, ITProTV
*if the post above has answered the question, please mark as solved.
**All "answers" and responses are offered "as is" and my opinion. There is no implied service, support, or guarantee by ITProTV.
