Prevent non-administrators from logging in on Windows for a specific period of time

Question

Here is my scenario. My application does some maintenance stuff during which only administrators should be allowed to login to Windows.

After the maintenance is done, any user should be able to login.

What is a good solution to this problem ? Any pointers would be appreciated.

Edit: OS is Windows 7

thanks, Pradeep

Answer 1

One solution would be to get the administrator to create a local group containing a list of users who should be able to log in normally, and to assign the "log in locally" right to only this group and the Administrators group.

You could then use LsaRemoveAccountRights and LsaAddAccountRights to toggle the "log in locally" right to the local group.

I suggest you get the administrator to do the initial changes, because messing with user rights without the administrator's knowledge and consent will upset people and could cause unexpected side-effects.

Answer 2

Enumerate all the users with NetUserEnum, and for those that are non-admins disable their account using NetUserSetInfo with the the USER_INFO_1 struct and the UF_ACCOUNTDISABLE flag. Keep a list of the users you disable so that when you're done you can reenable their accounts. http://msdn.microsoft.com/en-us/library/windows/desktop/aa370960%28v=vs.85%29.aspx