/build/static/layout/Breadcrumb_cap_w.png

How can I disable an account for Welcome screen but make it available for UAC prompt?

In short, is there a way to set up an administrative account that:

1. Cannot log in through the Welcome screen,

2. Can be used for UAC prompts,

3. Doesn't require removing the Welcome screen altogether?

Basically, we have these laptops that need to go to some teachers at some of our remote sites. They need some level of administrative access; we can't take it away entirely. The problem is, that if we give them a straight up administrative account, we know that 90% of them will just use it as their day-to-day account. This is part of a Windows 7 migration from XP and we've already gotten high resistance to UAC.

What I'd like to do is force them to use better practice by setting up an administrative account that can only be used for UAC. Yes. I know this is "'security' through obscurity". We consider it 'training wheels' and figure anyone smart enough to figure it out would be smart enough not to need us forcing it on them in the first place. At the very least, it removes plausible deniability if defeated.

So far, I've tried removing local login permission through secpol.msc. I've tried adding the account to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList, which may very well amount to the same thing. It seems everything I've tried so far removes both local login and UAC capability. Has anyone tried this setup before?

 


0 Comments   [ + ] Show comments

Answers (3)

Posted by: myltonpalmer 11 years ago
Senior White Belt
0

The simple way may be through implementing a least privileged environment.   This may not be as complex as it seems, the welcome screen may be the biggest issue there, but if you remove admin rights it will prompt the UAC....which in turn may generate additional leg work if you do not have privilege management tools in play.

Check this out

 

https://support.quest.com/productinformation.aspx?pr=268447870

Posted by: andrew_lubchansky 11 years ago
2nd Degree Black Belt
0

Have you tried a combination of adding their accounts to the local administrators group AND locking the machine down pretty tight using Group Policy?  This is what I did back in my school district so that the teachers had basic access to things like being able to orient Smartboards, but their GP prevented them from opening control panels, etc.

Just a thought.

Posted by: chucksteel 11 years ago
Red Belt
0

The one solution I used for a similar situation was to put a command in the administrator user's startup folder to automatically logout. That way if someone tries to login with that account it will just logout immediately, but they can still use the account to authenticate for UAC purposes.

 


Comments:
  • Haha. I can just imagine those Help Desk tickets coming in. - andrew_lubchansky 11 years ago

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ