Disable logon to XP without disabling or locking account?

  • Thread starter Thread starter hemlockz
  • Start date Start date
H

hemlockz

We have a couple domain accounts that are members of the local
Administrators group on all our workstations. (Our domain users are
Power Users.) We use these accounts to log in and install programs
and things that Power Users cannot. A while ago one of the IT created
another account and added it to the group with the intent of using the
account for Run As... installation scripts and things of that nature.
Pretty soon a couple of domain users have read the batch files and
taken the password for that account and are now using it to log on to
their workstations and install software. They only call IT after they
have ruined their registry or downloaded a virus. The Run As...
account has been very helpful and a huge time saver but opened up this
security hole. It would not be so much of a problem if we could
restrict log on from the account but still use it to "Run As..."
Unfortunately if I modify the Log On To... under the account
properties in Active Directory the Run As... will not work unless the
the account is also allowed to log on. Is there anything we can do to
prevent the account from logging on to Windows XP, but still be able
to Run As...? Thanks.
 
hemlockz said:
We have a couple domain accounts that are members of the local
Administrators group on all our workstations. (Our domain users are
Power Users.)
Click to expand...

Note that Power Users is pretty nearly Administrators in XP - I'd rethink
this. They really ought to just be users.
We use these accounts to log in and install programs
and things that Power Users cannot. A while ago one of the IT created
another account and added it to the group with the intent of using the
account for Run As... installation scripts and things of that nature.
Pretty soon a couple of domain users have read the batch files and
taken the password for that account and are now using it to log on to
their workstations and install software. They only call IT after they
have ruined their registry or downloaded a virus. The Run As...
account has been very helpful and a huge time saver but opened up this
security hole. It would not be so much of a problem if we could
restrict log on from the account but still use it to "Run As..."
Unfortunately if I modify the Log On To... under the account
properties in Active Directory the Run As... will not work unless the
the account is also allowed to log on. Is there anything we can do to
prevent the account from logging on to Windows XP, but still be able
to Run As...? Thanks.
Click to expand...

The short answer is no. . I would suggest you pull back from trying address
the symptom, in favor of curing the problem, which is that you've got
passwords in clear text. Change the password immediately, and never embed
passwords in clear text /
in batch files like that.

There are many runas alternatives - see http://www.wingnutsoftware.com/ for
an option.
 
Back
Top