Answered by:
Prevent logon locally but allow UAC by GPO

-
Hello everyone!
My need is to prevent logon locally for the group G_U_Logoff but still allowing UAC for the users contained in that group.
The group G_C_Logoff contains the computers on which the users is prevented to log on locally.AD architechture:
Forest
>DOMAIN.EXEMPLE.COM
>SITE1
>GROUPS
G_U_Logoff
G_C_Logoff
>USERS
User1 (Member of G_U_Logoff)
User2
>COMPUTERS
Comp1 (Member of G_C_Logoff)
Comp2
>SITE2
>SITE3To do that, I want to create and link a GPO on the COMPUTERS OU with the following configuration:
That configuration doesn't work. The GPO is not applied and the User1 can log on locally on Comp1.
Have you an idea ? Is there another solution to do that ?
Question
Answers
-
Hi,
I can't read your screenshot as it's not in English, so I have no idea what you have tried. Perhaps, you can share your reference link with us if any?
Regarding to your specific requirement, as far as I know, UAC elevation is a local logon. Therefore, if you deny local logon you also deny UAC elevation.
Regards,
Ethan Hua
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com
- Proposed as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, December 09, 2015 1:19 AM
- Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, January 06, 2016 4:44 AM
-
> My need is to prevent logon locally for the group G_U_Logoff but still> allowing UAC for the users contained in that group.Long answer short: That's impossible.Logging on to the UAC prompt in fact is an interactive logon on thelocal computer, so if you deny logon locally, UAC logons will not workanymore.
- Proposed as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, December 09, 2015 1:19 AM
- Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, January 06, 2016 4:44 AM
All replies
-
Hi,
I can't read your screenshot as it's not in English, so I have no idea what you have tried. Perhaps, you can share your reference link with us if any?
Regarding to your specific requirement, as far as I know, UAC elevation is a local logon. Therefore, if you deny local logon you also deny UAC elevation.
Regards,
Ethan Hua
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com
- Proposed as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, December 09, 2015 1:19 AM
- Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, January 06, 2016 4:44 AM
-
-
> My need is to prevent logon locally for the group G_U_Logoff but still> allowing UAC for the users contained in that group.Long answer short: That's impossible.Logging on to the UAC prompt in fact is an interactive logon on thelocal computer, so if you deny logon locally, UAC logons will not workanymore.
- Proposed as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, December 09, 2015 1:19 AM
- Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator Wednesday, January 06, 2016 4:44 AM