Link to home
Create AccountLog in
Avatar of adamshields
adamshieldsFlag for United States of America

asked on

Creating a run-as administrative account that cannot login

Looking to remove administrative context from users and instead use an account that is an administrative context in which users can "run-as" when needed. I do not want the user's to be able to use the account to login to their system, or pretty much anything else.

Have the ability to push down GPO's from Windows Server 2008 and the clients are Windows XP and 7 hosts. Any tips on how to go about this?
Avatar of brian_vt_hokie
brian_vt_hokie
Flag of United States of America image

I would be extra cautious in doing this.  What specifically are you trying to give them permission to do?  "Run As" with Local Admin rights will allow them to do pretty much anything - install software, change the system time, install SpyWare, possibly remove the machine from the domain, undo key system settings, modify backup jobs, etc.

Is your goal just to allow pre-authorized users to install software?
Avatar of adamshields

ASKER

I agree it not a fix for the problem but it will keep users from running the traditionally installed applications as administrators that are often targeted, i.e. Acrobat, flash, etc...

They could in effect even grant their user account admin privs but at least the idea is a step in the right direction and better than the current implementation.
SOLUTION
Avatar of jasfout
jasfout
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks for the help!