Windows 7 GPO Preventing admins from interactively logging in, but still allowing Run As / permission escalation

windows windows-7 group-policy

Solution 1:

This is really a personnel issue and not an IT problem. If users with administrative privileges can't respect the rules, they shouldn't have administrative privileges.

Even if there was an easy way of preventing an interactive logon, there's nothing to say they can't work around it - for example, they could terminate explorer.exe and re-start it running as their admin user, effectively giving them a full administrative environment. If you give them run as, you give them everything.

Related

Secure my DNS server by allowing connection only from VPN
script backups sqlite database, when ran as a cron the db and names are mangled
Dell R530 Broadcom NetXtreme tg3 nic limited to 12 MBytes/sec
Optimal parameters set for Postfix "smtpd_recipient_restrictions"
Can one machine virtually host a DNS server and an Email server?
How can I migrate soft RAID array made by mdadm to new server and new OS?
virtualenvwrapper and Python 3
Extract substring using regexp in plain bash
How can I kill whatever process is using port 8080 so that I can vagrant up?
Google API: Not a valid origin for the client: url has not been whitelisted for client ID "ID"
Volley Android Networking Library
How to check whether mod_rewrite is enable on server?