I have a few comments on this. Overall, I would suggest you deny elevation
for Standard Users, which forces them to use Fast User Switching to an
administrative account instead. I am very puzzled why you wish to try to
prevent that. If the problem is that users will log on with their
administrative account I think your problem is better solved by enforcing an
organizational security policy.
1. UAC elevation is a local logon. Therefore, if you deny local logon you
also deny UAC elevation.
2. It is FAR more secure to use FUS to run elevated processes than it is to
elevate them within the existing standard user desktop. It is kind of a pain,
but if you do not need to do it very often it is a much better option.
3. Power Users are equivalent to Standard Users in Vista. They have almost
no permissions that Standard Users do not have.
4. Power Users on XP is functionally equivalent to Administrators. It
provides no security whatsoever to make a user a Power User instead of an
Administrator. At best it prevents them from very easily shooting themselves
in the foot, but even that is not true in all cases.
Your question may already be answered in Windows Vista Security:
> These PCs are all part of a Windows 2003 active directory, the question
> refers to a local user on workstations within a domain
> "f/fgeorge" <firstname.lastname@example.org> wrote in message
> > On Wed, 21 Nov 2007 13:16:13 -0000, <email@example.com> wrote:
> >>Long post, but I think it's better to have some background and understand
> >>what I'm trying to achieve.
> >>XP environment:
> >>Most users are happy to run as power users, and get applications installed
> >>for them via group policy. Some users though need to have the ability to
> >>install applications, and for these users I create a local administrative
> >>user and tell them to use it to install applications. However what ends up
> >>happening is they login as that admin user to install applications and
> >>end up logging in as the admin user all day every day.
> >>Again most users will be happy as a power user, getting applications
> >>installed for them via group policy. Some users will need to install
> >>applications and for them I would like to create a local administrative
> >>user. BUT to prevent them from logging in as that user I want to disable
> >>ability for that user to login interactively. The idea being that the user
> >>will be prompted for admin credentials by the UAC, they enter them and the
> >>software installs. They CANNOT login to windows as the local admin user so
> >>have to run windows as their power user.
> >>So the task is to try to deny a user the right to logon to windows, but
> >>still allow the user's credentials be used in the UAC. I have tried
> >>the policy "Computer Configuration\Windows Settings\Security Settings\User
> >>Rights Assignment\Deny log on locally" and this prevents the user logging
> >>to windows, but it also stops the credentials being usable in the UAC.
> >>Any thoughts?
> > Sounds like you need a Server, it has lots of logon account variables
> > that you can set.