none
Prevent logon locally but allow UAC by GPO

    Question

  • Hello everyone!

    My need is to prevent logon locally for the group G_U_Logoff but still allowing UAC for the users contained in that group.
    The group G_C_Logoff contains the computers on which the users is prevented to log on locally.

    AD architechture:

    Forest
        >DOMAIN.EXEMPLE.COM
              >SITE1
                    >GROUPS
                             G_U_Logoff
                             G_C_Logoff
                    >USERS
                             User1 (Member of G_U_Logoff)
                             User2
                    >COMPUTERS
                             Comp1 (Member of G_C_Logoff)
                             Comp2
              >SITE2
              >SITE3

    To do that, I want to create and link a GPO on the COMPUTERS OU with the following configuration:

    That configuration doesn't work. The GPO is not applied and the User1 can log on locally on Comp1.

    Have you an idea ? Is there another solution to do that ?

    Tuesday, December 01, 2015 5:30 PM

Answers

  • Hi,
     
    I can't read your screenshot as it's not in English, so I have no idea what you have tried. Perhaps, you can share your reference link with us if any?
     
    Regarding to your specific requirement, as far as I know, UAC elevation is a local logon. Therefore, if you deny local logon you also deny UAC elevation.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, December 04, 2015 7:10 AM
    Moderator
  • > My need is to prevent logon locally for the group G_U_Logoff but still
    > allowing UAC for the users contained in that group.
     
    Long answer short: That's impossible.
     
    Logging on to the UAC prompt in fact is an interactive logon on the
    local computer, so if you deny logon locally, UAC logons will not work
    anymore.
     
    Tuesday, December 08, 2015 3:31 PM

All replies

  • Hi,
     
    I can't read your screenshot as it's not in English, so I have no idea what you have tried. Perhaps, you can share your reference link with us if any?
     
    Regarding to your specific requirement, as far as I know, UAC elevation is a local logon. Therefore, if you deny local logon you also deny UAC elevation.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, December 04, 2015 7:10 AM
    Moderator
  • I will try to be more clear :

    My goal is to prevent the administrators to open a session on machines, but these admin accounts must be able to make UAC elevation.

    So the parameter 'Deny log on locally' doesn't suit and I have to find another solution

    Tuesday, December 08, 2015 3:13 PM
  • > My need is to prevent logon locally for the group G_U_Logoff but still
    > allowing UAC for the users contained in that group.
     
    Long answer short: That's impossible.
     
    Logging on to the UAC prompt in fact is an interactive logon on the
    local computer, so if you deny logon locally, UAC logons will not work
    anymore.
     
    Tuesday, December 08, 2015 3:31 PM