How can I disable an account for Welcome screen but make it available for UAC prompt?
In short, is there a way to set up an administrative account that:
1. Cannot log in through the Welcome screen,
2. Can be used for UAC prompts,
3. Doesn't require removing the Welcome screen altogether?
Basically, we have these laptops that need to go to some teachers at some of our remote sites. They need some level of administrative access; we can't take it away entirely. The problem is, that if we give them a straight up administrative account, we know that 90% of them will just use it as their day-to-day account. This is part of a Windows 7 migration from XP and we've already gotten high resistance to UAC.
What I'd like to do is force them to use better practice by setting up an administrative account that can only be used for UAC. Yes. I know this is "'security' through obscurity". We consider it 'training wheels' and figure anyone smart enough to figure it out would be smart enough not to need us forcing it on them in the first place. At the very least, it removes plausible deniability if defeated.
So far, I've tried removing local login permission through secpol.msc. I've tried adding the account to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList, which may very well amount to the same thing. It seems everything I've tried so far removes both local login and UAC capability. Has anyone tried this setup before?
Answers (3)
The simple way may be through implementing a least privileged environment. This may not be as complex as it seems, the welcome screen may be the biggest issue there, but if you remove admin rights it will prompt the UAC....which in turn may generate additional leg work if you do not have privilege management tools in play.
Check this out
https://support.quest.com/productinformation.aspx?pr=268447870
Have you tried a combination of adding their accounts to the local administrators group AND locking the machine down pretty tight using Group Policy? This is what I did back in my school district so that the teachers had basic access to things like being able to orient Smartboards, but their GP prevented them from opening control panels, etc.
Just a thought.
The one solution I used for a similar situation was to put a command in the administrator user's startup folder to automatically logout. That way if someone tries to login with that account it will just logout immediately, but they can still use the account to authenticate for UAC purposes.
Comments:
-
Haha. I can just imagine those Help Desk tickets coming in. - andrew_lubchansky 11 years ago