Hi,
>>I would like to give userA admin rights on a computer but block all users from 'domainA' from actually logging on to the desktop as a regular user.
Before going further, does this mean that you want to deny all domain users from logging onto specific computers, except those who have local admin privileges? If yes, you can add the users who have local admin privileges in the
following policy: 'Computer Configuration/Policies/Windows Settings/Security Settings/User Rights Assignment/Allow log on locally. In this way, only these users can log onto the computers which apply the policy setting.
Best regards,
Frank Shen
Okay so we have two domains, I'll refer to as Domain-A and Domain-B. All users have a Domain-A account and a Domain-B account. Domain-A accounts are used for logging on to everything. Occasionally, we have to give some users admin access on
their particular workstation, laptop, etc. Instead of giving admin access to their Domain-A account, we give it to their Domain-B account so they don't have admin rights all the time, only when they specifically need it (and then they have to elevate
privileges with their Domain-B account). However, we do not want these users to be able to login in to Windows with their Domain-B account. This would bypass the UAC stuff we have setup. The policy you referred to and the one I referred to in my
original post block Domain-B accounts from authenticating as admin as well as actually logging in to the desktop.
