In short, is there a way to set up an administrative account that:

1. Cannot log in through the Welcome screen,

2. Can be used for UAC prompts,

3. Doesn't require removing the Welcome screen altogether?

Basically, we have these laptops that need to go to some teachers at some of our remote sites. They need some level of administrative access; we can't take it away entirely. The problem is, that if we give them a straight up administrative account, we know that 90% of them will just use it as their day-to-day account. This is part of a Windows 7 migration from XP and we've already gotten high resistance to UAC.

What I'd like to do is force them to use better practice by setting up an administrative account that can only be used for UAC. Yes. I know this is "'security' through obscurity". We consider it 'training wheels' and figure anyone smart enough to figure it out would be smart enough not to need us forcing it on them in the first place. At the very least, it removes plausible deniability if defeated.

So far, I've tried removing local login permission through secpol.msc. I've tried adding the account to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList, which may very well amount to the same thing. It seems everything I've tried so far removes both local login and UAC capability. Has anyone tried this setup before?

 

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

0

The simple way may be through implementing a least privileged environment.   This may not be as complex as it seems, the welcome screen may be the biggest issue there, but if you remove admin rights it will prompt the UAC....which in turn may generate additional leg work if you do not have privilege management tools in play.

Check this out

 

https://support.quest.com/productinformation.aspx?pr=268447870

Answered 05/07/2013 by: myltonpalmer
Senior White Belt

Please log in to comment
This content is currently hidden from public view.
Reason: Removed by member request
For more information, visit our FAQ's.

0

Have you tried a combination of adding their accounts to the local administrators group AND locking the machine down pretty tight using Group Policy?  This is what I did back in my school district so that the teachers had basic access to things like being able to orient Smartboards, but their GP prevented them from opening control panels, etc.

Just a thought.

Answered 05/01/2013 by: andrew_lubchansky
Black Belt

Please log in to comment
0

The one solution I used for a similar situation was to put a command in the administrator user's startup folder to automatically logout. That way if someone tries to login with that account it will just logout immediately, but they can still use the account to authenticate for UAC purposes.

 

Answered 05/01/2013 by: chucksteel
Red Belt

  • Haha. I can just imagine those Help Desk tickets coming in.
Please log in to comment
Answer this question or Comment on this question for clarity