I'm planning to harden my AD-based infrastructure. One privilege that I'm planning to limit is the "local logon" privilege.
Now, if I push "Deny Logon Locally" through GPO, besides preventing affected users from logging in on the physical console, what other side effects will happen?
Specifically, I'm interested in whether the denied account be used for:
- runas
- RDP to console (using /admin switch)
- Scheduled Tasks
- Running services
- psexec
I do plan to experiment, but just in case there are additional, important side effects I need to be aware of that are not listed above, please let me know.
Thank you!
Deny Logon Locally affects both runas, RDP to console and psexec. Whereas it doesnt affect the other two..
If you want to deny the other two also, you need to do it through GPO like deny logon as a service etc..