There is a way to deny interactive logon to a workstation but permit the priviledge escalation(run as)?
I tried with this local GPO
Use Computer Configuration / Windows Settings / Security Settings / Local Policy User Rights Assignment
to set Deny logon locally for this account.
but it does not work because deny also the privilege escalarion or run as...not only the interactive logon. We would need for some Laptop in workgroup
tanks a lot!