hemlockz <ian.m.cameron@gmail.com> wrote:
> We have a couple domain accounts that are members of the local
> Administrators group on all our workstations. (Our domain users are
> Power Users.)
Note that Power Users is pretty nearly Administrators in XP - I'd rethink
this. They really ought to just be users.
> We use these accounts to log in and install programs
> and things that Power Users cannot. A while ago one of the IT created
> another account and added it to the group with the intent of using the
> account for Run As... installation scripts and things of that nature.
> Pretty soon a couple of domain users have read the batch files and
> taken the password for that account and are now using it to log on to
> their workstations and install software. They only call IT after they
> have ruined their registry or downloaded a virus. The Run As...
> account has been very helpful and a huge time saver but opened up this
> security hole. It would not be so much of a problem if we could
> restrict log on from the account but still use it to "Run As..."
> Unfortunately if I modify the Log On To... under the account
> properties in Active Directory the Run As... will not work unless the
> the account is also allowed to log on. Is there anything we can do to
> prevent the account from logging on to Windows XP, but still be able
> to Run As...? Thanks.
The short answer is no. . I would suggest you pull back from trying address
the symptom, in favor of curing the problem, which is that you've got
passwords in clear text. Change the password immediately, and never embed
passwords in clear text /
in batch files like that.
There are many runas alternatives - see
http://www.wingnutsoftware.com/ for
an option.
Linear Mode
