Versus all files that are accessible in either case?
What? run as... /admin, for example, does not provide system-wide access to
the interactive logon. Thats why NT4 based systems provide User-level
security. Shift + right-click a shortcut, see run as... in the context menu?
Using an alternate, elevated account has been part of NT since NT was
created. You can run multiple applications, each with its own account
right/privilege, on the same system simultaneously without ever needing to
logoff.
In fact, operating a client or server with an ordinary account and executing
administrative tasks with an elevated account, without a logoff, is how W2K
is designed to be operated. The same applies to NT and XP as well as all the
OSs that will be released in the future. Its akin to the Unix or Linux
Superuser (SU) concept as well.
I won't argue the point. There are valid reasons for denying local
admin, as well as valid reasons to allow it. As long as you
understand the risks and mitigate them, feel free to deal with the
issue as you and your organization see fit.
What? Denying local logon to local admin? There is no reason to even
consider such a ridiculous concept. You have a serious miss-understanding of
W2K and other nt-based OSs.
If you want the full arguments to understand the issues better, Google
will give you plenty.
Speaking of Google, here is a document that explains the issue. Hopefully,
it will shed some light in the alternate login concept.
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=7899
Alternate logons are a fundamental change when managing an OS like W2K.
Consider as an example a regular user that runs a single MMC console with
elevated privileges to both manage a domain or server (while never exposing
the PC to the dangers involved). Only the application runs with the elevated
privileges.
<snip>
