Yeah; You would need to allow the privileges you revoked. The error message is pretty explicit on the reason its failing. – Ramhound – 2015-01-28T13:47:20.343

Does it work if you do a runas with the /noprofile switch? – Syberdoor – 2015-01-28T14:18:22.617

how about a good password on that user account. – Moab – 2015-01-29T01:32:56.077

1@Ramhound Explicit would be to mention the missing privilege, which the error message does not. – mgd – 2015-01-29T09:18:17.783

@Syberdoor I already tried that and unfortunately it does not work. – mgd – 2015-01-29T09:18:54.930

@Moab That's an alternative but what if you have a corporate policy that passwords needs to be changed every 3 months for all your service accounts on all machines? Therefore, I would like a solution where you cannot do an interactive login. (On UNIX/Linux you would set the login shell to /bin/false and/or use sudo.) – mgd – 2015-01-29T09:21:27.440

From what I found in short research I think the problem might be that if you make your account a service account then runas is prevented as well. This would make sense to me as with runas + sufficient tricks you can basically get a working explorer shell anyway so where would the difference be between logging in that account or running each and every program from another user session but with the rights of the account? If you have sufficient programming skill you can make a service (without gui I think) that accepts inputs from a program in another users context as workaround afaik. – Syberdoor – 2015-01-30T06:46:33.037