Run As restriction

  • Thread starter Thread starter Eric H. Vela
  • Start date Start date
E

Eric H. Vela

Is there a way to make a user be accessible ONLY via the Run As option and
not able to actually log into a server or workstation from a login screen?
If so, how?

Thanks in advance...
Eric
 
Not that I know of. If you set the machine's rights to allow or deny
interactive logon for a particular group or user, this applies to runas as
well as a conventional logon.

I don't know if the check is done with the runas command or at the
CreateProcessAsUser API call. You could try denying a user interactive
logon from the local security policy and run Joe Richards' cpau utility
(www.joeware.net) to see if this also throws up an interactive logon denied
error.

Another technique might be to use group policy to ensure that the user gets
something useless like sol.exe as their shell instead of explorer.exe.

Regards

Oli
 
Hi Eric

as Oli pointed out already is not possible .. what are you trying to
accomplish exactly?
 
Back
Top