Local Admin Account with Deny Logon Locally

Hi,
I am trying to create an account that would allow certain users
install software on their XP SP2 desktops. I don't want them to use
the account to logon in the morning but rather have them supply its
credentials in the Run As box when they run software or patch
installation files. I created an account and created a GPO for the
Test OU that added it to the Local Admins group, set "Deny Logon
Locally" to "Enabled" and specified the account in the "Logon as a
Service" setting. I applied the GPO and checked to make sure that the
account was now in the Local Admins group. However, when I logon
locally as a regular user and try to install an application using Run
As with the new account's credentials I get the error "Logon failure:
the user has not been granted the requested logon type at this
computer." I guess I was wrong assuming that when you use Run As, the
system does not treat it as a local logon? Is there any other setting
that I should have configured?
Thanks

sergeykuz@gmail.com wrote:
> Hi,
> I am trying to create an account that would allow certain users
> install software on their XP SP2 desktops. I don't want them to use
> the account to logon in the morning but rather have them supply its
> credentials in the Run As box when they run software or patch
> installation files. I created an account and created a GPO for the
> Test OU that added it to the Local Admins group, set "Deny Logon
> Locally" to "Enabled" and specified the account in the "Logon as a
> Service" setting. I applied the GPO and checked to make sure that the
> account was now in the Local Admins group. However, when I logon
> locally as a regular user and try to install an application using Run
> As with the new account's credentials I get the error "Logon failure:
> the user has not been granted the requested logon type at this
> computer." I guess I was wrong assuming that when you use Run As, the
> system does not treat it as a local logon? Is there any other setting
> that I should have configured?
> Thanks

It's a local login, yes, so your solution won't work.

You *could* do something a little cheesy - set up a login script for this
domain user so that if someone did log in with it to a workstation, they'd
be logged out of the domain immediately. You could modify the stuff here

http://www.amset.info/windows/limit-logins.asp

.....to do so.

This might be a useable aternative. It allows a limited user to self-promote
(given an Admin password) and reminds them to de-promote after a reasonable
time has been allowed to do whatever they need.

Since it promotes the user's own account, it avoids the problem of
loss-of-settings inherent in changing account.

It's not at production status yet (bug reports welcome) so use at your own
discretion.

http://mylogon.net/su/

"sergeykuz@gmail.com" wrote:

> Hi,
> I am trying to create an account that would allow certain users
> install software on their XP SP2 desktops. I don't want them to use
> the account to logon in the morning but rather have them supply its
> credentials in the Run As box when they run software or patch
> installation files.

On Jan 30, 7:46*pm, "Lanwench [MVP - Exchange]"
<lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
> sergey...@gmail.com wrote:
> > Hi,
> > I am trying to create an account that would allow certain users
> > install software on their XP SP2 desktops. I don't want them to use
> > the account to logon in the morning but rather have them supply its
> > credentials in the Run As box when they run software or patch
> > installation files. I created an account and created a GPO for the
> > Test OU that added it to the Local Admins group, set "Deny Logon
> > Locally" to "Enabled" and specified the account in the "Logon as a
> > Service" setting. I applied the GPO and checked to make sure that the
> > account was now in the Local Admins group. However, when I logon
> > locally as a regular user and try to install an application using Run
> > As with the new account's credentials I get the error "Logon failure:
> > the user has not been granted the requested logon type at this
> > computer." I guess I was wrong assuming that when you use Run As, the
> > system does not treat it as a local logon? Is there any other setting
> > that I should have configured?
> > Thanks
>
> It's a local login, yes, so your solution won't work.
>
> You *could* do something a little cheesy - set up a login script for this
> domain user so that if someone did log in with it to a workstation, they'd
> be logged out of the domain immediately. You could modify the stuff here
>
> http://www.amset.info/windows/limit-logins.asp
>
> ....to do so.- Hide quoted text -
>
> - Show quoted text -

Thanks,
I an trying to write a script now that would log that user off after 3
minutes if logged on locally. That should be enough to initialize an
installation via Run As but inconvenient enough to prevent local
logons.

sergeykuz@gmail.com wrote:
> On Jan 30, 7:46 pm, "Lanwench [MVP - Exchange]"
> <lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
>> sergey...@gmail.com wrote:
>>> Hi,
>>> I am trying to create an account that would allow certain users
>>> install software on their XP SP2 desktops. I don't want them to use
>>> the account to logon in the morning but rather have them supply its
>>> credentials in the Run As box when they run software or patch
>>> installation files. I created an account and created a GPO for the
>>> Test OU that added it to the Local Admins group, set "Deny Logon
>>> Locally" to "Enabled" and specified the account in the "Logon as a
>>> Service" setting. I applied the GPO and checked to make sure that
>>> the account was now in the Local Admins group. However, when I logon
>>> locally as a regular user and try to install an application using
>>> Run As with the new account's credentials I get the error "Logon
>>> failure: the user has not been granted the requested logon type at
>>> this computer." I guess I was wrong assuming that when you use Run
>>> As, the system does not treat it as a local logon? Is there any
>>> other setting that I should have configured?
>>> Thanks
>>
>> It's a local login, yes, so your solution won't work.
>>
>> You *could* do something a little cheesy - set up a login script for
>> this domain user so that if someone did log in with it to a
>> workstation, they'd be logged out of the domain immediately. You
>> could modify the stuff here
>>
>> http://www.amset.info/windows/limit-logins.asp
>>
>> ....to do so.- Hide quoted text -
>>
>> - Show quoted text -
>
> Thanks,
> I an trying to write a script now that would log that user off after 3
> minutes if logged on locally. That should be enough to initialize an
> installation via Run As but inconvenient enough to prevent local
> logons.

But if you log them out when the install is going on, this won't work. The
login script method will keep them from logging in as that account, but will
not fire off when they use RunAs.

On Feb 5, 7:56*am, "Lanwench [MVP - Exchange]"
<lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
> sergey...@gmail.com wrote:
> > On Jan 30, 7:46 pm, "Lanwench [MVP - Exchange]"
> > <lanwe...@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote:
> >> sergey...@gmail.com wrote:
> >>> Hi,
> >>> I am trying to create an account that would allow certain users
> >>> install software on their XP SP2 desktops. I don't want them to use
> >>> the account to logon in the morning but rather have them supply its
> >>> credentials in the Run As box when they run software or patch
> >>> installation files. I created an account and created a GPO for the
> >>> Test OU that added it to the Local Admins group, set "Deny Logon
> >>> Locally" to "Enabled" and specified the account in the "Logon as a
> >>> Service" setting. I applied the GPO and checked to make sure that
> >>> the account was now in the Local Admins group. However, when I logon
> >>> locally as a regular user and try to install an application using
> >>> Run As with the new account's credentials I get the error "Logon
> >>> failure: the user has not been granted the requested logon type at
> >>> this computer." I guess I was wrong assuming that when you use Run
> >>> As, the system does not treat it as a local logon? Is there any
> >>> other setting that I should have configured?
> >>> Thanks
>
> >> It's a local login, yes, so your solution won't work.
>
> >> You *could* do something a little cheesy - set up a login script for
> >> this domain user so that if someone did log in with it to a
> >> workstation, they'd be logged out of the domain immediately. You
> >> could modify the stuff here
>
> >>http://www.amset.info/windows/limit-logins.asp
>
> >> ....to do so.- Hide quoted text -
>
> >> - Show quoted text -
>
> > Thanks,
> > I an trying to write a script now that would log that user off after 3
> > minutes if logged on locally. That should be enough to initialize an
> > installation via Run As but inconvenient enough to prevent local
> > logons.
>
> But if you log them out when the install is going on, this won't work. The
> login script method will keep them from logging in as that account, but will
> not fire off when they use RunAs.- Hide quoted text -
>
> - Show quoted text -

Ok, I think I got it done now. I created a little logon script that
checks the user's name at logon and if it is that administrative
account it logs it right off (it's set for 15 seconds). At the same
time it works fine for installations as in the Group Policy it is
combined with adding that account to the Local Admins group on all
computers. One tricky part was having to apply this GPO to the
Computers OU as well as the Users OU that hosts that user account
because of the 2-part GPO settings.
Thanks,

Hi!

I'm looking for a script that does excatly whay you've accomplished
with yours.

Could you be persuaded into sharing?

Unfortunantly, im a sysadm with little scripting knowledge..

Thanks in advance

/David


--
DPE
------------------------------------------------------------------------
DPE's Profile: http://forums.techarena.in/members/dpe.htm
View this thread: http://forums.techarena.in/windows-security/904865.htm

http://forums.techarena.in