Deny logover for industrial it admin group

Does anyone know a method for denying a group e.g. industrial IT admin the right to logover? If you give a user the "impersonate client after authentication" right then any Windows / 800xA user can logover.

Add New Comment


asked 2 years ago



As far as I know, once logover has been enabled, there is nothing additionally that can be configured inside the 800xA System to prevent logover.

If the workplace was originally launched from an account having "Impersonate" privilege, logover will be possible for any person located at the keyboard of that workplace.

C:\>whoami /all | find /i "impersonate"
SeImpersonatePrivilege Impersonate a client after authentication Enabled

This can be used to allow an unattended computer to auto-login and auto-launch a read only capable workplace. Once a privileged user arrives at that workplace and like to perform privileged work, he or she can do that after performing a logover to another user. This other user does not need to have impersonate privilege.

To prevent logover you must choose from:

a) remove the impersonate privilege from the account used to launch the workplace

b) keep usernames and passwords secret

Stefan Stromqvist   

answered 2 years ago


By WvanWees on 2/16/2016 | Like (0) | Report

The customer wants logover but for an os which can be accessed from the internet (with all security meassures in order) they still want admin users to be denied access for logover. I couldn't think of a way to prevent this, but I was hoping someone on aks could think of a way. Read only from the internet is also no option.

By Stefan Stromqvist on 2/16/2016 | Like (0) | Report

Have you tried denying 800xA admin accounts to login via Group Policy?

This has to be enabled after config and be reverted when required, eg to access service account.

Must be checked; I suspect the service account must still be available for service (non interactive) tasks.

By WvanWees on 2/16/2016 | Like (0) | Report

I'm going to experiment with that tomorrow I tried some things with group policy today but didn't succeed yet.
There is no indication that something (e.g. afwworkplace) running with different credentials.

By Stefan Stromqvist on 2/16/2016 | Like (0) | Report

OK, update the thread if you find any news.

The user tool (lower right corner of Plant Explorer) will indicate an active logover by turning yellow.

The "inability" to perform logover due to launching user's lack of impersonate is not indicated until logover is attempted.

Add New Comment



If you want the deny for the logover for the user, just remove the user from security "impersonate client after authentication" in all workplaces, so instead configuring this setting for Industrial IT user do it on user basis.


answered 2 years ago


Add New Comment


I've tried "deny log on localy" group policy but this doesn't work. The logover is no normal login. Reading about it, this is about security tokens, I quess it's not possible.


answered 2 years ago


By Newwy72 on 1/19/2017 | Like (0) | Report

Did you solve this I'm looking to do the same thing

By WvanWees on 1/20/2017 | Like (0) | Report

No I did not find a method to prevent it.

Add New Comment

Get weekly AKS updates

Partner Exclusive Webinars


> – Login to the partner portal to register

Points Redemption Program - Redeem your points for ABB training, Bluetooth speakers and mugs. Terms and conditions >

Earn points when you refer a friend
AKS Referral Program is "Live" - Learn more

AKS Experts

Ask Govindaraj   

Rank: 9

Working in ABB India Operation Center. Have Project engineering and commissioning experience in ABB 800xA, Freelance, AC500.

Ask MMM   

Rank: 5

ABB PA CT Technical Support

Ask kstoilov   

Rank: 11

Control System Engineer: 800xA, Compact 800, AC500, AC31-50, Advant Master, Simatic, AC&DC Drives 11 years worked for ABB - Control Systems

Ask Flavio Mussolin   

Rank: 4

ABB AVP, Senior Electronic and Automation Engineer with over 30 years of experience in the field of process automation automotive, pharmaceutical, hollow glass, steel and rolling.

Ask Harsha.D   

Rank: 7

Tech.Support,software and commisioning engineer with Proficient knowledge in 800xA and its products, RNRP,Networking in general.

Ask Dieter Henkel   

Rank: 19

Ask Sumit Gargav   

Rank: 3

I have worked with Freelance in majority, with 800xA FD and Melody system partly. Also had opportunity to work with Protocols - HART,Profibus,FF & Modbus.

Ask Rob Lyon   

Rank: 2 I'm an independent DCS software and commissioning engineer with extensive experience in 800xA and other ABB products. I've worked in almost every corner of the world and still haven't seen it all.

Ask Stefan Stromqvist   

Rank: 1

I joined ABB in the year of 1994 and has since 1999 been working as a Service & Support Engineer at BU Control Technologies in Västerås, Sweden. My areas of expertise are: 800xA Base, 800xA for Advant Master, Information Management, operating systems, RNRP and Ethernet comms/networking in general.

Ask WvanWees   

Rank: 6

I'm a senior service engineer working for ABB in The Netherlands.

Ask nikismith   

Rank: 255

I have been a part of the Recording & Control Factory team for 17 years in total, having spent a number of years as a repairs technician withi the manufacturing department, but being in my current role for 9 years now.

Ask Ronny Lindström   

Rank: 16

ABB Service Engineer