![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 91%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW2%3C/text%3E%3C/svg%3E)
3,085 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
To achieve this setup, where a domain user is not allowed to log in to a client computer but can still open an administrative command prompt, you can follow these steps:
Create a Restricted Group:
In Active Directory, create a security group specifically for users who need administrative access without interactive logon. Let's call this group "AdminCMDUsers."
Group Policy Object (GPO) Configuration:
Configure a Group Policy Object to enforce the desired restrictions. Here's what you can do:
a. Deny Interactive Logon:
In the GPO, go to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "User Rights Assignment."
Add the "AdminCMDUsers" group to the "Deny log on locally" policy. This will prevent members of this group from logging in interactively to client computers.
b. Allow Remote Desktop Services:
If you want members of the "AdminCMDUsers" group to be able to remotely access a client computer using Remote Desktop Services, add the group to the "Allow log on through Remote Desktop Services" policy.
Elevated Command Prompt Access:
To allow members of the "AdminCMDUsers" group to open an administrative command prompt, you can use a few methods:
a. RunAs Command:
Users can run the runas command to open an administrative command prompt. They'll need to provide valid administrator credentials when prompted.
b. Shortcut with RunAs:
Create a shortcut on the desktop that uses the runas command to launch the administrative command prompt. Users can right-click the shortcut and choose "Run as different user" to provide administrator credentials.
c. Batch Script:
Create a batch script that uses the runas command to open an administrative command prompt. Users can run the script to open the command prompt.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer--