Deny Administrator Desktop Logon, but Allow Elevation Prompt Authentication RRS feed

  • Question

  • I have a Windows 7 machine with two users, a regular user and an administrator user (not the built-in account). I want to disallow login to the desktop for the administrator user, but still allow it's credentials to be used at UAC elevation prompts. I tried adding that administrator user to the "Deny logon locally" local security policy, but that did not work. The policy not only disallowed that administrator user from logging in to a desktop, but also from approving elevation requests. Any help would be greatly appreciated.
    • Edited by williamhua99 Friday, May 11, 2018 10:18 AM Minor Edit to Title
    Friday, May 11, 2018 10:17 AM


  • Hi,

    No such methods can achieve your goal, if you remove the administrator user from the logon list, then the credential of it can not be accepted in UAC. For the security sake, you disallow administrator accounts use its credential to login, then it lose the priority to prompt for UAC. This makes sense.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by williamhua99 Tuesday, May 15, 2018 7:43 AM
    Monday, May 14, 2018 3:04 AM