|
Related Topics:
| Deny Logon Locally - I was trying to prevent a user from seeing the Domain to Logon to. I added the user's account to Deny Logon Locally in Local Computer Rights Logon..
Deny Interactive Logon but Allow Runas - Hi, We have a number of who use a piece of very flaky software, which some times requires or having fix-packs As our users don't have local admin rights they usually have to come to the IT
Deny "New User" account with blank password - There are two methods for creating a new user in Windows XP. The first is with and the second is with the manager. I need to, creation of new user accounts with a blank Doing it..
Admin Account without Admin Rights? - Hello, Looks like my XP Pro box got hacked a couple of days ago. Not quite sure how, but anyway, my question concerns the The attacker managed to set my normal admin account to Limited, and turn my limited account to Admin. But they also..
Local Policy Does Not allow logon - Help I have just taken over a client with a messed up network. I am getting "The local policy of this system does not permit you to logon when I try to logon to one of te with an ID which is not part of the Admin group. ..
|
|
|
Next: XP Security Admin: Error in installation
|
| Author |
Message |
External
Since: Jan 30, 2008
Posts: 3
|
(Msg. 1) Posted: Wed Jan 30, 2008 3:46 pm
Post subject: Local Admin Account with Deny Logon Locally  Get Alert
Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
|
|
|
Hi,
I am trying to create an account that would allow certain users
install software on their XP SP2 desktops. I don't want them to use
the account to logon in the morning but rather have them supply its
credentials in the Run As box when they run software or patch
installation files. I created an account and created a GPO for the
Test OU that added it to the Local Admins group, set "Deny Logon
Locally" to "Enabled" and specified the account in the "Logon as a
Service" setting. I applied the GPO and checked to make sure that the
account was now in the Local Admins group. However, when I logon
locally as a regular user and try to install an application using Run
As with the new account's credentials I get the error "Logon failure:
the user has not been granted the requested logon type at this
computer." I guess I was wrong assuming that when you use Run As, the
system does not treat it as a local logon? Is there any other setting
that I should have configured?
Thanks |
|
| Back to top |
|
 | |
|
Lanwench [MVP - Exchange]
|
External
Since: Jun 07, 2007
Posts: 351
|
(Msg. 2) Posted: Wed Jan 30, 2008 7:46 pm
Post subject: Re: Local Admin Account with Deny Logon Locally Get Alert [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
sergeykuz RemoveThis @gmail.com wrote:
> Hi,
> I am trying to create an account that would allow certain users
> install software on their XP SP2 desktops. I don't want them to use
> the account to logon in the morning but rather have them supply its
> credentials in the Run As box when they run software or patch
> installation files. I created an account and created a GPO for the
> Test OU that added it to the Local Admins group, set "Deny Logon
> Locally" to "Enabled" and specified the account in the "Logon as a
> Service" setting. I applied the GPO and checked to make sure that the
> account was now in the Local Admins group. However, when I logon
> locally as a regular user and try to install an application using Run
> As with the new account's credentials I get the error "Logon failure:
> the user has not been granted the requested logon type at this
> computer." I guess I was wrong assuming that when you use Run As, the
> system does not treat it as a local logon? Is there any other setting
> that I should have configured?
> Thanks
It's a local login, yes, so your solution won't work.
You *could* do something a little cheesy - set up a login script for this
domain user so that if someone did log in with it to a workstation, they'd
be logged out of the domain immediately. You could modify the stuff here
http://www.amset.info/windows/limit-logins.asp
.....to do so. |
|
| Back to top |
|
| |
External
Since: Aug 08, 2007
Posts: 115
|
(Msg. 3) Posted: Sun Feb 03, 2008 3:41 am
Post subject: RE: Local Admin Account with Deny Logon Locally Get Alert [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
This might be a useable aternative. It allows a limited user to self-promote
(given an Admin password) and reminds them to de-promote after a reasonable
time has been allowed to do whatever they need.
Since it promotes the user's own account, it avoids the problem of
loss-of-settings inherent in changing account.
It's not at production status yet (bug reports welcome) so use at your own
discretion.
http://mylogon.net/su/
"sergeykuz@gmail.com" wrote:
> Hi,
> I am trying to create an account that would allow certain users
> install software on their XP SP2 desktops. I don't want them to use
> the account to logon in the morning but rather have them supply its
> credentials in the Run As box when they run software or patch
> installation files. >> Stay informed about: Local Admin Account with Deny Logon Locally |
|
| Back to top |
|
| |
External
Since: Jan 30, 2008
Posts: 3
|
(Msg. 4) Posted: Mon Feb 04, 2008 3:15 pm
Post subject: Re: Local Admin Account with Deny Logon Locally Get Alert [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Jan 30, 7:46 pm, "Lanwench [MVP - Exchange]"
<lanwe... RemoveThis @heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
> sergey... RemoveThis @gmail.com wrote:
> > Hi,
> > I am trying to create an account that would allow certain users
> > install software on their XP SP2 desktops. I don't want them to use
> > the account to logon in the morning but rather have them supply its
> > credentials in the Run As box when they run software or patch
> > installation files. I created an account and created a GPO for the
> > Test OU that added it to the Local Admins group, set "Deny Logon
> > Locally" to "Enabled" and specified the account in the "Logon as a
> > Service" setting. I applied the GPO and checked to make sure that the
> > account was now in the Local Admins group. However, when I logon
> > locally as a regular user and try to install an application using Run
> > As with the new account's credentials I get the error "Logon failure:
> > the user has not been granted the requested logon type at this
> > computer." I guess I was wrong assuming that when you use Run As, the
> > system does not treat it as a local logon? Is there any other setting
> > that I should have configured?
> > Thanks
>
> It's a local login, yes, so your solution won't work.
>
> You *could* do something a little cheesy - set up a login script for this
> domain user so that if someone did log in with it to a workstation, they'd
> be logged out of the domain immediately. You could modify the stuff here
>
> http://www.amset.info/windows/limit-logins.asp
>
> ....to do so.- Hide quoted text -
>
> - Show quoted text -
Thanks,
I an trying to write a script now that would log that user off after 3
minutes if logged on locally. That should be enough to initialize an
installation via Run As but inconvenient enough to prevent local
logons. >> Stay informed about: Local Admin Account with Deny Logon Locally |
|
| Back to top |
|
| |
|
Lanwench [MVP - Exchange]
|
External
Since: Jun 07, 2007
Posts: 351
|
(Msg. 5) Posted: Tue Feb 05, 2008 7:56 am
Post subject: Re: Local Admin Account with Deny Logon Locally Get Alert [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
sergeykuz.RemoveThis@gmail.com wrote:
> On Jan 30, 7:46 pm, "Lanwench [MVP - Exchange]"
> <lanwe....RemoveThis@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
>> sergey....RemoveThis@gmail.com wrote:
>>> Hi,
>>> I am trying to create an account that would allow certain users
>>> install software on their XP SP2 desktops. I don't want them to use
>>> the account to logon in the morning but rather have them supply its
>>> credentials in the Run As box when they run software or patch
>>> installation files. I created an account and created a GPO for the
>>> Test OU that added it to the Local Admins group, set "Deny Logon
>>> Locally" to "Enabled" and specified the account in the "Logon as a
>>> Service" setting. I applied the GPO and checked to make sure that
>>> the account was now in the Local Admins group. However, when I logon
>>> locally as a regular user and try to install an application using
>>> Run As with the new account's credentials I get the error "Logon
>>> failure: the user has not been granted the requested logon type at
>>> this computer." I guess I was wrong assuming that when you use Run
>>> As, the system does not treat it as a local logon? Is there any
>>> other setting that I should have configured?
>>> Thanks
>>
>> It's a local login, yes, so your solution won't work.
>>
>> You *could* do something a little cheesy - set up a login script for
>> this domain user so that if someone did log in with it to a
>> workstation, they'd be logged out of the domain immediately. You
>> could modify the stuff here
>>
>> http://www.amset.info/windows/limit-logins.asp
>>
>> ....to do so.- Hide quoted text -
>>
>> - Show quoted text -
>
> Thanks,
> I an trying to write a script now that would log that user off after 3
> minutes if logged on locally. That should be enough to initialize an
> installation via Run As but inconvenient enough to prevent local
> logons.
But if you log them out when the install is going on, this won't work. The
login script method will keep them from logging in as that account, but will
not fire off when they use RunAs. >> Stay informed about: Local Admin Account with Deny Logon Locally |
|
| Back to top |
|
| |
External
Since: Jan 30, 2008
Posts: 3
|
(Msg. 6) Posted: Mon Feb 11, 2008 1:40 pm
Post subject: Re: Local Admin Account with Deny Logon Locally Get Alert [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Feb 5, 7:56 am, "Lanwench [MVP - Exchange]"
<lanwe....RemoveThis@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
> sergey....RemoveThis@gmail.com wrote:
> > On Jan 30, 7:46 pm, "Lanwench [MVP - Exchange]"
> > <lanwe....RemoveThis@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
> >> sergey....RemoveThis@gmail.com wrote:
> >>> Hi,
> >>> I am trying to create an account that would allow certain users
> >>> install software on their XP SP2 desktops. I don't want them to use
> >>> the account to logon in the morning but rather have them supply its
> >>> credentials in the Run As box when they run software or patch
> >>> installation files. I created an account and created a GPO for the
> >>> Test OU that added it to the Local Admins group, set "Deny Logon
> >>> Locally" to "Enabled" and specified the account in the "Logon as a
> >>> Service" setting. I applied the GPO and checked to make sure that
> >>> the account was now in the Local Admins group. However, when I logon
> >>> locally as a regular user and try to install an application using
> >>> Run As with the new account's credentials I get the error "Logon
> >>> failure: the user has not been granted the requested logon type at
> >>> this computer." I guess I was wrong assuming that when you use Run
> >>> As, the system does not treat it as a local logon? Is there any
> >>> other setting that I should have configured?
> >>> Thanks
>
> >> It's a local login, yes, so your solution won't work.
>
> >> You *could* do something a little cheesy - set up a login script for
> >> this domain user so that if someone did log in with it to a
> >> workstation, they'd be logged out of the domain immediately. You
> >> could modify the stuff here
>
> >>http://www.amset.info/windows/limit-logins.asp
>
> >> ....to do so.- Hide quoted text -
>
> >> - Show quoted text -
>
> > Thanks,
> > I an trying to write a script now that would log that user off after 3
> > minutes if logged on locally. That should be enough to initialize an
> > installation via Run As but inconvenient enough to prevent local
> > logons.
>
> But if you log them out when the install is going on, this won't work. The
> login script method will keep them from logging in as that account, but will
> not fire off when they use RunAs.- Hide quoted text -
>
> - Show quoted text -
Ok, I think I got it done now. I created a little logon script that
checks the user's name at logon and if it is that administrative
account it logs it right off (it's set for 15 seconds). At the same
time it works fine for installations as in the Group Policy it is
combined with adding that account to the Local Admins group on all
computers. One tricky part was having to apply this GPO to the
Computers OU as well as the Users OU that hosts that user account
because of the 2-part GPO settings.
Thanks, >> Stay informed about: Local Admin Account with Deny Logon Locally |
|
| Back to top |
|
| |
|
FAQ
Search
Profile
Private Messages
Log in/Register/Password
Windows XP