Elevate admin rights
Hello community,
Is it possible to set up an admin account to be used only to elevate access?
For example, have 2 accounts, "TestAdmin" in the Administrators group and "TestUser" in the Users group. Disable log on for the "TestAdmin" account and only use it to elevate access (installing apps, change network configurations, etc...).
I've done the following so far:
- Create the necessary accounts for the test and include them in the correct group.
- Add the "TestAdmin" account in Local Security Policy > Local Policies > User Rights Assignment > Deny log on locally and Deny log on through Remote Desktop Services.
- Add the "TestAdmin" account in Local Security Policy > Local Policies > User Rights Assignment > Act as part of the operating system and Increase scheduling priority policies.
This has resulted in, TestAdmin cannot log on to the machine but, elevating access through the TestUser account fails with the following message:
"Logon failure: the user has not been granted the requested logon type at this computer."
Thank you.