Can I disable login for a user account and still have working impersonation?

Question

Several of us have a local administrator user account with the same username and password because the code includes ASP.NET impersonation and this setup enables it to work.

I'm not an expert on IIS or impersonation but I can see that it's not ideal for us all to have this local administrator on our systems. The IIS app pool identity for the application is the aforementioned user account.

Here's what I've tried:

• disable the user account: Go to Computer Management > System Tools > Local Users and Groups > Users > right click the user name > properties > check Account is disabled > Apply > OK > restart system.

What I want to know is can I disable login for the user account without causing impersonation to fail?

Answer 1

Thanks to the answer from Warren P, I was able to get what I was looking for by searching for "remove the Log on Locally User Privilege".

To regulate the security settings, I found the relevant MS documentation and followed these steps:

• Windows search for Local Security Policy
• Navigate to Security Settings > Local Policies > User Rights Assignment
• In the central pane, find Deny Log on locally and add the user

It ain't no fun getting caught out by easy to fix security issues.