Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

local administravtive users & UAC

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 11-21-2007
 

Posts: n/a
local administravtive users & UAC
Long post, but I think it's better to have some background and understand
what I'm trying to achieve.

XP environment:
Most users are happy to run as power users, and get applications installed
for them via group policy. Some users though need to have the ability to
install applications, and for these users I create a local administrative
user and tell them to use it to install applications. However what ends up
happening is they login as that admin user to install applications and often
end up logging in as the admin user all day every day.

Vista:
Again most users will be happy as a power user, getting applications
installed for them via group policy. Some users will need to install
applications and for them I would like to create a local administrative
user. BUT to prevent them from logging in as that user I want to disable the
ability for that user to login interactively. The idea being that the user
will be prompted for admin credentials by the UAC, they enter them and the
software installs. They CANNOT login to windows as the local admin user so
have to run windows as their power user.

So the task is to try to deny a user the right to logon to windows, but
still allow the user's credentials be used in the UAC. I have tried setting
the policy "Computer Configuration\Windows Settings\Security Settings\User
Rights Assignment\Deny log on locally" and this prevents the user logging in
to windows, but it also stops the credentials being usable in the UAC.

Any thoughts?



Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 11-21-2007
f/fgeorge
 

Posts: n/a
Re: local administravtive users & UAC
On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:

>Long post, but I think it's better to have some background and understand
>what I'm trying to achieve.
>
>XP environment:
>Most users are happy to run as power users, and get applications installed
>for them via group policy. Some users though need to have the ability to
>install applications, and for these users I create a local administrative
>user and tell them to use it to install applications. However what ends up
>happening is they login as that admin user to install applications and often
>end up logging in as the admin user all day every day.
>
>Vista:
>Again most users will be happy as a power user, getting applications
>installed for them via group policy. Some users will need to install
>applications and for them I would like to create a local administrative
>user. BUT to prevent them from logging in as that user I want to disable the
>ability for that user to login interactively. The idea being that the user
>will be prompted for admin credentials by the UAC, they enter them and the
>software installs. They CANNOT login to windows as the local admin user so
>have to run windows as their power user.
>
>So the task is to try to deny a user the right to logon to windows, but
>still allow the user's credentials be used in the UAC. I have tried setting
>the policy "Computer Configuration\Windows Settings\Security Settings\User
>Rights Assignment\Deny log on locally" and this prevents the user logging in
>to windows, but it also stops the credentials being usable in the UAC.
>
>Any thoughts?
>

Sounds like you need a Server, it has lots of logon account variables
that you can set.
Reply With Quote
  #3 (permalink)  
Old 11-21-2007
 

Posts: n/a
Re: local administravtive users & UAC
These PCs are all part of a Windows 2003 active directory, the question
refers to a local user on workstations within a domain

A.


"f/fgeorge" <ffgeorge@yourplace.com> wrote in message
news:02f8k3dfd1sbdvjk1pilarlqo5n0hlq7o5@4ax.com...
> On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:
>
>>Long post, but I think it's better to have some background and understand
>>what I'm trying to achieve.
>>
>>XP environment:
>>Most users are happy to run as power users, and get applications installed
>>for them via group policy. Some users though need to have the ability to
>>install applications, and for these users I create a local administrative
>>user and tell them to use it to install applications. However what ends up
>>happening is they login as that admin user to install applications and
>>often
>>end up logging in as the admin user all day every day.
>>
>>Vista:
>>Again most users will be happy as a power user, getting applications
>>installed for them via group policy. Some users will need to install
>>applications and for them I would like to create a local administrative
>>user. BUT to prevent them from logging in as that user I want to disable
>>the
>>ability for that user to login interactively. The idea being that the user
>>will be prompted for admin credentials by the UAC, they enter them and the
>>software installs. They CANNOT login to windows as the local admin user so
>>have to run windows as their power user.
>>
>>So the task is to try to deny a user the right to logon to windows, but
>>still allow the user's credentials be used in the UAC. I have tried
>>setting
>>the policy "Computer Configuration\Windows Settings\Security Settings\User
>>Rights Assignment\Deny log on locally" and this prevents the user logging
>>in
>>to windows, but it also stops the credentials being usable in the UAC.
>>
>>Any thoughts?
>>

> Sounds like you need a Server, it has lots of logon account variables
> that you can set.



Reply With Quote
  #4 (permalink)  
Old 11-21-2007
Jesper
 

Posts: n/a
Re: local administravtive users & UAC
I have a few comments on this. Overall, I would suggest you deny elevation
for Standard Users, which forces them to use Fast User Switching to an
administrative account instead. I am very puzzled why you wish to try to
prevent that. If the problem is that users will log on with their
administrative account I think your problem is better solved by enforcing an
organizational security policy.

1. UAC elevation is a local logon. Therefore, if you deny local logon you
also deny UAC elevation.
2. It is FAR more secure to use FUS to run elevated processes than it is to
elevate them within the existing standard user desktop. It is kind of a pain,
but if you do not need to do it very often it is a much better option.
3. Power Users are equivalent to Standard Users in Vista. They have almost
no permissions that Standard Users do not have.
4. Power Users on XP is functionally equivalent to Administrators. It
provides no security whatsoever to make a user a Power User instead of an
Administrator. At best it prevents them from very easily shooting themselves
in the foot, but even that is not true in all cases.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"andy_c@hotmail.com" wrote:

> These PCs are all part of a Windows 2003 active directory, the question
> refers to a local user on workstations within a domain
>
> A.
>
>
> "f/fgeorge" <ffgeorge@yourplace.com> wrote in message
> news:02f8k3dfd1sbdvjk1pilarlqo5n0hlq7o5@4ax.com...
> > On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:
> >
> >>Long post, but I think it's better to have some background and understand
> >>what I'm trying to achieve.
> >>
> >>XP environment:
> >>Most users are happy to run as power users, and get applications installed
> >>for them via group policy. Some users though need to have the ability to
> >>install applications, and for these users I create a local administrative
> >>user and tell them to use it to install applications. However what ends up
> >>happening is they login as that admin user to install applications and
> >>often
> >>end up logging in as the admin user all day every day.
> >>
> >>Vista:
> >>Again most users will be happy as a power user, getting applications
> >>installed for them via group policy. Some users will need to install
> >>applications and for them I would like to create a local administrative
> >>user. BUT to prevent them from logging in as that user I want to disable
> >>the
> >>ability for that user to login interactively. The idea being that the user
> >>will be prompted for admin credentials by the UAC, they enter them and the
> >>software installs. They CANNOT login to windows as the local admin user so
> >>have to run windows as their power user.
> >>
> >>So the task is to try to deny a user the right to logon to windows, but
> >>still allow the user's credentials be used in the UAC. I have tried
> >>setting
> >>the policy "Computer Configuration\Windows Settings\Security Settings\User
> >>Rights Assignment\Deny log on locally" and this prevents the user logging
> >>in
> >>to windows, but it also stops the credentials being usable in the UAC.
> >>
> >>Any thoughts?
> >>

> > Sounds like you need a Server, it has lots of logon account variables
> > that you can set.

>
>
>

Reply With Quote
  #5 (permalink)  
Old 11-22-2007
DevilsPGD
 

Posts: n/a
Re: local administravtive users & UAC
In message <e5DEyCELIHA.4228@TK2MSFTNGP02.phx.gbl> <andy_c@hotmail.com>
wrote:

>Some users will need to install
>applications and for them I would like to create a local administrative
>user. BUT to prevent them from logging in as that user I want to disable the
>ability for that user to login interactively.


I haven't tested this, but if you used group policies to replace the
shell with logoff.exe, that would probably do the trick.

The shell doesn't get called by UAC logins, but does get called if the
user tries to login a desktop session.
Reply With Quote
  #6 (permalink)  
Old 11-22-2007
 

Posts: n/a
Re: local administravtive users & UAC
Thanks for the reply. At my organization the security policy is a general
document that talks about principles rather than a lengthy volume with
specifics like this.

As for the book , its the one I read before I posted the question. :-)


"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:EB89F2F1-EBA9-412F-AAD8-C9E26CDAF4CD@microsoft.com...
>I have a few comments on this. Overall, I would suggest you deny elevation
> for Standard Users, which forces them to use Fast User Switching to an
> administrative account instead. I am very puzzled why you wish to try to
> prevent that. If the problem is that users will log on with their
> administrative account I think your problem is better solved by enforcing
> an
> organizational security policy.
>
> 1. UAC elevation is a local logon. Therefore, if you deny local logon you
> also deny UAC elevation.
> 2. It is FAR more secure to use FUS to run elevated processes than it is
> to
> elevate them within the existing standard user desktop. It is kind of a
> pain,
> but if you do not need to do it very often it is a much better option.
> 3. Power Users are equivalent to Standard Users in Vista. They have almost
> no permissions that Standard Users do not have.
> 4. Power Users on XP is functionally equivalent to Administrators. It
> provides no security whatsoever to make a user a Power User instead of an
> Administrator. At best it prevents them from very easily shooting
> themselves
> in the foot, but even that is not true in all cases.
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
> "andy_c@hotmail.com" wrote:
>
>> These PCs are all part of a Windows 2003 active directory, the question
>> refers to a local user on workstations within a domain
>>
>> A.
>>
>>
>> "f/fgeorge" <ffgeorge@yourplace.com> wrote in message
>> news:02f8k3dfd1sbdvjk1pilarlqo5n0hlq7o5@4ax.com...
>> > On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:
>> >
>> >>Long post, but I think it's better to have some background and
>> >>understand
>> >>what I'm trying to achieve.
>> >>
>> >>XP environment:
>> >>Most users are happy to run as power users, and get applications
>> >>installed
>> >>for them via group policy. Some users though need to have the ability
>> >>to
>> >>install applications, and for these users I create a local
>> >>administrative
>> >>user and tell them to use it to install applications. However what ends
>> >>up
>> >>happening is they login as that admin user to install applications and
>> >>often
>> >>end up logging in as the admin user all day every day.
>> >>
>> >>Vista:
>> >>Again most users will be happy as a power user, getting applications
>> >>installed for them via group policy. Some users will need to install
>> >>applications and for them I would like to create a local administrative
>> >>user. BUT to prevent them from logging in as that user I want to
>> >>disable
>> >>the
>> >>ability for that user to login interactively. The idea being that the
>> >>user
>> >>will be prompted for admin credentials by the UAC, they enter them and
>> >>the
>> >>software installs. They CANNOT login to windows as the local admin user
>> >>so
>> >>have to run windows as their power user.
>> >>
>> >>So the task is to try to deny a user the right to logon to windows, but
>> >>still allow the user's credentials be used in the UAC. I have tried
>> >>setting
>> >>the policy "Computer Configuration\Windows Settings\Security
>> >>Settings\User
>> >>Rights Assignment\Deny log on locally" and this prevents the user
>> >>logging
>> >>in
>> >>to windows, but it also stops the credentials being usable in the UAC.
>> >>
>> >>Any thoughts?
>> >>
>> > Sounds like you need a Server, it has lots of logon account variables
>> > that you can set.

>>
>>
>>



Reply With Quote
  #7 (permalink)  
Old 11-22-2007
 

Posts: n/a
Re: local administravtive users & UAC
It's crazy enough. It might just work.

Thanks I will try.


"DevilsPGD" <spam_narf_spam@crazyhat.net> wrote in message
news:n7c9k310la705dn2fooce7ekidbedokusa@4ax.com...
> In message <e5DEyCELIHA.4228@TK2MSFTNGP02.phx.gbl> <andy_c@hotmail.com>
> wrote:
>
>>Some users will need to install
>>applications and for them I would like to create a local administrative
>>user. BUT to prevent them from logging in as that user I want to disable
>>the
>>ability for that user to login interactively.

>
> I haven't tested this, but if you used group policies to replace the
> shell with logoff.exe, that would probably do the trick.
>
> The shell doesn't get called by UAC logins, but does get called if the
> user tries to login a desktop session.



Reply With Quote
  #8 (permalink)  
Old 11-23-2007
DevilsPGD
 

Posts: n/a
Re: local administravtive users & UAC
In message <eu43#5OLIHA.4948@TK2MSFTNGP02.phx.gbl> <andy_c@hotmail.com>
wrote:

>It's crazy enough. It might just work.


My favourite kind of solution Let me know how it goes...
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Local Users and Groups UnknownTBeast microsoft.public.windows.vista.general 3 11-12-2007 01:32
how to disable uac using local security settings? william.hooper@gmail.com microsoft.public.windows.vista.general 16 09-08-2007 14:08
Public network connection only "Access: Local" & not Local & Inter Iain M microsoft.public.windows.vista.networking sharing 1 07-30-2007 01:00
Access All Users & Default Users Start menu Henry Craven {SBS-MVP} microsoft.public.windows.vista.file management 3 07-21-2007 07:03
c:\users\steve\appdata\local\temp DrFeelgood microsoft.public.windows.vista.performance maintenance 5 07-11-2007 17:29




All times are GMT +1. The time now is 11:10.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120