locked
Deny log on but allow admin authentication RRS feed

  • Question

  • I would like to deny log on access to users of a particular domain but allow them to provide admin access to regular users.  

    To be more clear:  say I have a user account we'll call 'userA' that is a member of 'domainA'.  I would like to give userA admin rights on a computer but block all users from 'domainA' from actually logging on to the desktop as a regular user. 

    I found a policy at 'Computer Configuration/Policies/Windows Settings/Security Settings/User Rights Assignment/Deny log on locally' but that policy also denies users from the domain from elevating as admins.  Is there a way to do what I'm looking for?

    Thursday, January 8, 2015 6:23 PM

Answers

  • > privileges with their Domain-B account).  However, we do not want these
    > users to be able to login in to Windows with their Domain-B account.
     
    You cannot. To elevate, the user must have "allow logon locally"...
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Frank Shen5 Tuesday, January 20, 2015 6:56 AM
    • Marked as answer by Frank Shen5 Wednesday, January 21, 2015 1:08 AM
    Monday, January 12, 2015 1:10 PM

All replies

  • Hi,

    >>I would like to give userA admin rights on a computer but block all users from 'domainA' from actually logging on to the desktop as a regular user. 

    Before going further, does this mean that you want to deny all domain users from logging onto specific computers, except those who have local admin privileges? If yes, you can add the users who have local admin privileges in the following policy: 'Computer Configuration/Policies/Windows Settings/Security Settings/User Rights Assignment/Allow log on locally. In this way, only these users can log onto the computers which apply the policy setting.

    Best regards,

    Frank Shen

    Friday, January 9, 2015 9:11 AM
  • Hi,

    >>I would like to give userA admin rights on a computer but block all users from 'domainA' from actually logging on to the desktop as a regular user. 

    Before going further, does this mean that you want to deny all domain users from logging onto specific computers, except those who have local admin privileges? If yes, you can add the users who have local admin privileges in the following policy: 'Computer Configuration/Policies/Windows Settings/Security Settings/User Rights Assignment/Allow log on locally. In this way, only these users can log onto the computers which apply the policy setting.

    Best regards,

    Frank Shen

    Okay so we have two domains, I'll refer to as Domain-A and Domain-B.  All users have a Domain-A account and a Domain-B account.  Domain-A accounts are used for logging on to everything.  Occasionally, we have to give some users admin access on their particular workstation, laptop, etc.  Instead of giving admin access to their Domain-A account, we give it to their Domain-B account so they don't have admin rights all the time, only when they specifically need it (and then they have to elevate privileges with their Domain-B account).  However, we do not want these users to be able to login in to Windows with their Domain-B account.  This would bypass the UAC stuff we have setup. The policy you referred to and the one I referred to in my original post block Domain-B accounts from authenticating as admin as well as actually logging in to the desktop.
    Friday, January 9, 2015 3:01 PM
  • > privileges with their Domain-B account).  However, we do not want these
    > users to be able to login in to Windows with their Domain-B account.
     
    You cannot. To elevate, the user must have "allow logon locally"...
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Frank Shen5 Tuesday, January 20, 2015 6:56 AM
    • Marked as answer by Frank Shen5 Wednesday, January 21, 2015 1:08 AM
    Monday, January 12, 2015 1:10 PM