Hi All,
I'm working on a little security project in a way to correct some crazy stuffs.
Actually each users are local admin of there computer (crazy stuff I said) .. well, my main objective is to remove this right (not really complicated) but I need also to implement a little mecanic.
For a certain category of users, they need to stay local admin (VIP, Developpers) ... but with a specific account. Let me explain.
Windows login use the format Firstname_Nickname ... and this is the account actually local admin of there computer. We're going to create a new user called ADM_FirstLetterFirstName&nickname ...
We want to implement this sort of thing:
- an adm account, specific of a user, can only be local admin of his computer (easy with sccm 2012 and user affinity)
- adm account has not the right to open a windows session.
In fact, if a user (like VIP) need to launch a process which need some elevated rights, UAC will launch the credentials popup and this user will have to input his adm account.
My problem is how can I restrict for a user (adm) the fact that it can open a session and in a same time this account could launch some local process.
If I use the GPO called "Deny logon locally" ... effectivelly Adm account has not the possibility to open a session on computer ... but It can not also be used to launch any process under a normal user session even if this account is local admin.
So is there a way to implement this sort of things ?
Thanks of Idea or help.