How can I disable an account for Welcome screen but make it available for UAC prompt?
In short, is there a way to set up an administrative account that:
1. Cannot log in through the Welcome screen,
2. Can be used for UAC prompts,
3. Doesn't require removing the Welcome screen altogether?
Basically, we have these laptops that need to go to some teachers at some of our remote sites. They need some level of administrative access; we can't take it away entirely. The problem is, that if we give them a straight up administrative account, we know that 90% of them will just use it as their day-to-day account. This is part of a Windows 7 migration from XP and we've already gotten high resistance to UAC.
What I'd like to do is force them to use better practice by setting up an administrative account that can only be used for UAC. Yes. I know this is "'security' through obscurity". We consider it 'training wheels' and figure anyone smart enough to figure it out would be smart enough not to need us forcing it on them in the first place. At the very least, it removes plausible deniability if defeated.
So far, I've tried removing local login permission through secpol.msc. I've tried adding the account to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList, which may very well amount to the same thing. It seems everything I've tried so far removes both local login and UAC capability. Has anyone tried this setup before?