I've been asked this many times:"How can I block interactive logon of an admin account so they would just be able to use UAC?"
This is a good point as this will:
- Allow a user to use UAC-prompt to authorize admin procedures
- Not allow the user to actually start logging on as that user (as a convenience for themselves)
Windows does not allow the separation of a "UAC Logon" which is annoying as this would be great. So I can block logon interactively but the UAC won't work and if I want to allow UAC then they can always logon as well.
My trick on making this happen is to use AppLocker/SRP to block them from using the Explorer.exe or Task Manager. When they logon they get an empty screen with no ability to do anything. You could replace it with launching a custom shell as well and that shell would just show a note: "You are not allowed to logon interactively with this user!!"
So these are the rules I use: