none
Deny Administrator Desktop Logon, but Allow Elevation Prompt Authentication

    问题

  • I have a Windows 7 machine with two users, a regular user and an administrator user (not the built-in account). I want to disallow login to the desktop for the administrator user, but still allow it's credentials to be used at UAC elevation prompts. I tried adding that administrator user to the "Deny logon locally" local security policy, but that did not work. The policy not only disallowed that administrator user from logging in to a desktop, but also from approving elevation requests. Any help would be greatly appreciated.
    • 已编辑 williamhua99 2018年5月11日 10:18 Minor Edit to Title
    2018年5月11日 10:17

答案

  • Hi,

    No such methods can achieve your goal, if you remove the administrator user from the logon list, then the credential of it can not be accepted in UAC. For the security sake, you disallow administrator accounts use its credential to login, then it lose the priority to prompt for UAC. This makes sense.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年5月14日 3:04