local administravtive users & UAC

[andy_c@hotmail.com]

Long post, but I think it's better to have some background and understand
what I'm trying to achieve.

XP environment:
Most users are happy to run as power users, and get applications installed
for them via group policy. Some users though need to have the ability to
install applications, and for these users I create a local administrative
user and tell them to use it to install applications. However what ends up
happening is they login as that admin user to install applications and often
end up logging in as the admin user all day every day.

Vista:
Again most users will be happy as a power user, getting applications
installed for them via group policy. Some users will need to install
applications and for them I would like to create a local administrative
user. BUT to prevent them from logging in as that user I want to disable the
ability for that user to login interactively. The idea being that the user
will be prompted for admin credentials by the UAC, they enter them and the
software installs. They CANNOT login to windows as the local admin user so
have to run windows as their power user.

So the task is to try to deny a user the right to logon to windows, but
still allow the user's credentials be used in the UAC. I have tried setting
the policy "Computer Configuration\Windows Settings\Security Settings\User
Rights Assignment\Deny log on locally" and this prevents the user logging in
to windows, but it also stops the credentials being usable in the UAC.

Any thoughts?

 

[f/fgeorge]

Re: local administravtive users & UAC

On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:

>Long post, but I think it's better to have some background and understand
>what I'm trying to achieve.
>
>XP environment:
>Most users are happy to run as power users, and get applications installed
>for them via group policy. Some users though need to have the ability to
>install applications, and for these users I create a local administrative
>user and tell them to use it to install applications. However what ends up
>happening is they login as that admin user to install applications and often
>end up logging in as the admin user all day every day.
>
>Vista:
>Again most users will be happy as a power user, getting applications
>installed for them via group policy. Some users will need to install
>applications and for them I would like to create a local administrative
>user. BUT to prevent them from logging in as that user I want to disable the
>ability for that user to login interactively. The idea being that the user
>will be prompted for admin credentials by the UAC, they enter them and the
>software installs. They CANNOT login to windows as the local admin user so
>have to run windows as their power user.
>
>So the task is to try to deny a user the right to logon to windows, but
>still allow the user's credentials be used in the UAC. I have tried setting
>the policy "Computer Configuration\Windows Settings\Security Settings\User
>Rights Assignment\Deny log on locally" and this prevents the user logging in
>to windows, but it also stops the credentials being usable in the UAC.
>
>Any thoughts?
>
Sounds like you need a Server, it has lots of logon account variables
that you can set.

 

[andy_c@hotmail.com]

Re: local administravtive users & UAC

These PCs are all part of a Windows 2003 active directory, the question
refers to a local user on workstations within a domain

A.


"f/fgeorge" <ffgeorge@yourplace.com> wrote in message
news:02f8k3dfd1sbdvjk1pilarlqo5n0hlq7o5@4ax.com...
> On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:
>
>>Long post, but I think it's better to have some background and understand
>>what I'm trying to achieve.
>>
>>XP environment:
>>Most users are happy to run as power users, and get applications installed
>>for them via group policy. Some users though need to have the ability to
>>install applications, and for these users I create a local administrative
>>user and tell them to use it to install applications. However what ends up
>>happening is they login as that admin user to install applications and
>>often
>>end up logging in as the admin user all day every day.
>>
>>Vista:
>>Again most users will be happy as a power user, getting applications
>>installed for them via group policy. Some users will need to install
>>applications and for them I would like to create a local administrative
>>user. BUT to prevent them from logging in as that user I want to disable
>>the
>>ability for that user to login interactively. The idea being that the user
>>will be prompted for admin credentials by the UAC, they enter them and the
>>software installs. They CANNOT login to windows as the local admin user so
>>have to run windows as their power user.
>>
>>So the task is to try to deny a user the right to logon to windows, but
>>still allow the user's credentials be used in the UAC. I have tried
>>setting
>>the policy "Computer Configuration\Windows Settings\Security Settings\User
>>Rights Assignment\Deny log on locally" and this prevents the user logging
>>in
>>to windows, but it also stops the credentials being usable in the UAC.
>>
>>Any thoughts?
>>
> Sounds like you need a Server, it has lots of logon account variables
> that you can set.

 

[Jesper]

Re: local administravtive users & UAC

I have a few comments on this. Overall, I would suggest you deny elevation
for Standard Users, which forces them to use Fast User Switching to an
administrative account instead. I am very puzzled why you wish to try to
prevent that. If the problem is that users will log on with their
administrative account I think your problem is better solved by enforcing an
organizational security policy.

1. UAC elevation is a local logon. Therefore, if you deny local logon you
also deny UAC elevation.
2. It is FAR more secure to use FUS to run elevated processes than it is to
elevate them within the existing standard user desktop. It is kind of a pain,
but if you do not need to do it very often it is a much better option.
3. Power Users are equivalent to Standard Users in Vista. They have almost
no permissions that Standard Users do not have.
4. Power Users on XP is functionally equivalent to Administrators. It
provides no security whatsoever to make a user a Power User instead of an
Administrator. At best it prevents them from very easily shooting themselves
in the foot, but even that is not true in all cases.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20


"andy_c@hotmail.com" wrote:

> These PCs are all part of a Windows 2003 active directory, the question
> refers to a local user on workstations within a domain
>
> A.
>
>
> "f/fgeorge" <ffgeorge@yourplace.com> wrote in message
> news:02f8k3dfd1sbdvjk1pilarlqo5n0hlq7o5@4ax.com...
> > On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:
> >
> >>Long post, but I think it's better to have some background and understand
> >>what I'm trying to achieve.
> >>
> >>XP environment:
> >>Most users are happy to run as power users, and get applications installed
> >>for them via group policy. Some users though need to have the ability to
> >>install applications, and for these users I create a local administrative
> >>user and tell them to use it to install applications. However what ends up
> >>happening is they login as that admin user to install applications and
> >>often
> >>end up logging in as the admin user all day every day.
> >>
> >>Vista:
> >>Again most users will be happy as a power user, getting applications
> >>installed for them via group policy. Some users will need to install
> >>applications and for them I would like to create a local administrative
> >>user. BUT to prevent them from logging in as that user I want to disable
> >>the
> >>ability for that user to login interactively. The idea being that the user
> >>will be prompted for admin credentials by the UAC, they enter them and the
> >>software installs. They CANNOT login to windows as the local admin user so
> >>have to run windows as their power user.
> >>
> >>So the task is to try to deny a user the right to logon to windows, but
> >>still allow the user's credentials be used in the UAC. I have tried
> >>setting
> >>the policy "Computer Configuration\Windows Settings\Security Settings\User
> >>Rights Assignment\Deny log on locally" and this prevents the user logging
> >>in
> >>to windows, but it also stops the credentials being usable in the UAC.
> >>
> >>Any thoughts?
> >>
> > Sounds like you need a Server, it has lots of logon account variables
> > that you can set.
>
>
>

 

[DevilsPGD]

Re: local administravtive users & UAC

In message <e5DEyCELIHA.4228@TK2MSFTNGP02.phx.gbl> <andy_c@hotmail.com>
wrote:

>Some users will need to install
>applications and for them I would like to create a local administrative
>user. BUT to prevent them from logging in as that user I want to disable the
>ability for that user to login interactively.

I haven't tested this, but if you used group policies to replace the
shell with logoff.exe, that would probably do the trick.

The shell doesn't get called by UAC logins, but does get called if the
user tries to login a desktop session.

 

[andy_c@hotmail.com]

Re: local administravtive users & UAC

Thanks for the reply. At my organization the security policy is a general
document that talks about principles rather than a lengthy volume with
specifics like this.

As for the book , its the one I read before I posted the question.


"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:EB89F2F1-EBA9-412F-AAD8-C9E26CDAF4CD@microsoft.com...
>I have a few comments on this. Overall, I would suggest you deny elevation
> for Standard Users, which forces them to use Fast User Switching to an
> administrative account instead. I am very puzzled why you wish to try to
> prevent that. If the problem is that users will log on with their
> administrative account I think your problem is better solved by enforcing
> an
> organizational security policy.
>
> 1. UAC elevation is a local logon. Therefore, if you deny local logon you
> also deny UAC elevation.
> 2. It is FAR more secure to use FUS to run elevated processes than it is
> to
> elevate them within the existing standard user desktop. It is kind of a
> pain,
> but if you do not need to do it very often it is a much better option.
> 3. Power Users are equivalent to Standard Users in Vista. They have almost
> no permissions that Standard Users do not have.
> 4. Power Users on XP is functionally equivalent to Administrators. It
> provides no security whatsoever to make a user a Power User instead of an
> Administrator. At best it prevents them from very easily shooting
> themselves
> in the foot, but even that is not true in all cases.
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/0470101555?ie=UTF8&tag=protectyourwi-20
>
>
> "andy_c@hotmail.com" wrote:
>
>> These PCs are all part of a Windows 2003 active directory, the question
>> refers to a local user on workstations within a domain
>>
>> A.
>>
>>
>> "f/fgeorge" <ffgeorge@yourplace.com> wrote in message
>> news:02f8k3dfd1sbdvjk1pilarlqo5n0hlq7o5@4ax.com...
>> > On Wed, 21 Nov 2007 13:16:13 -0000, <andy_c@hotmail.com> wrote:
>> >
>> >>Long post, but I think it's better to have some background and
>> >>understand
>> >>what I'm trying to achieve.
>> >>
>> >>XP environment:
>> >>Most users are happy to run as power users, and get applications
>> >>installed
>> >>for them via group policy. Some users though need to have the ability
>> >>to
>> >>install applications, and for these users I create a local
>> >>administrative
>> >>user and tell them to use it to install applications. However what ends
>> >>up
>> >>happening is they login as that admin user to install applications and
>> >>often
>> >>end up logging in as the admin user all day every day.
>> >>
>> >>Vista:
>> >>Again most users will be happy as a power user, getting applications
>> >>installed for them via group policy. Some users will need to install
>> >>applications and for them I would like to create a local administrative
>> >>user. BUT to prevent them from logging in as that user I want to
>> >>disable
>> >>the
>> >>ability for that user to login interactively. The idea being that the
>> >>user
>> >>will be prompted for admin credentials by the UAC, they enter them and
>> >>the
>> >>software installs. They CANNOT login to windows as the local admin user
>> >>so
>> >>have to run windows as their power user.
>> >>
>> >>So the task is to try to deny a user the right to logon to windows, but
>> >>still allow the user's credentials be used in the UAC. I have tried
>> >>setting
>> >>the policy "Computer Configuration\Windows Settings\Security
>> >>Settings\User
>> >>Rights Assignment\Deny log on locally" and this prevents the user
>> >>logging
>> >>in
>> >>to windows, but it also stops the credentials being usable in the UAC.
>> >>
>> >>Any thoughts?
>> >>
>> > Sounds like you need a Server, it has lots of logon account variables
>> > that you can set.
>>
>>
>>

 

[andy_c@hotmail.com]

Re: local administravtive users & UAC

It's crazy enough. It might just work.

Thanks I will try.


"DevilsPGD" <spam_narf_spam@crazyhat.net> wrote in message
news:n7c9k310la705dn2fooce7ekidbedokusa@4ax.com...
> In message <e5DEyCELIHA.4228@TK2MSFTNGP02.phx.gbl> <andy_c@hotmail.com>
> wrote:
>
>>Some users will need to install
>>applications and for them I would like to create a local administrative
>>user. BUT to prevent them from logging in as that user I want to disable
>>the
>>ability for that user to login interactively.
>
> I haven't tested this, but if you used group policies to replace the
> shell with logoff.exe, that would probably do the trick.
>
> The shell doesn't get called by UAC logins, but does get called if the
> user tries to login a desktop session.

 

[DevilsPGD]

Re: local administravtive users & UAC

In message <eu43#5OLIHA.4948@TK2MSFTNGP02.phx.gbl> <andy_c@hotmail.com>
wrote:

>It's crazy enough. It might just work.

My favourite kind of solution Let me know how it goes...