Set the user account(s) so it is Denied the right to Log On Interactively, and also Deny the right to Log On Through Remote Desktop Services?
Of course, this means they can do anything else they want using these credentials. You may want to look into privilege management software like RES, Scense or AppSense Application Manager, which lets users install stuff but doesn't actually give them any other administrative rights. From: [email protected] [mailto:[email protected]] On Behalf Of Kish n Kepi Sent: 30 March 2016 13:21 To: [email protected] Subject: [NTSysADM] Local Administrative Privileges Hello All, I would like to give to my users, who do not have administrative privileges on their local Windows boxes, the ability to use other credentials with admin privileges so they install. So, it's easy enough to create an admin account, however, I'd like to prevent people from actually using it to login into windows (thus bypassing my domain and its GPOs) and prevent creating a local profile (sort of like /sbin/nologin in /etc/passwd). Like this, I can restrict the use of the admin account to its intended purpose - allowing them to install, but making them jump through a hoop. Or is there a better way to lock down users but still allow them to install? Kish N Kepi
