Re: Re: Restricting account to a computer only
From: Laura Robinson (larobins_at_verizon.net)
Date: 10/14/04
- Previous message: Ansgar -59cobalt- Wiechers: "Re: Remote connections"
- Maybe in reply to: Matt Ostiguy: "Re: Restricting account to a computer only"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Matt Ostiguy <ostiguy@gmail.com>, Paul Aviles <paviles@adjoined.com> Date: Thu, 14 Oct 2004 13:50:44 -0400
As an FYI, it is not possible to create an account with *no* group membership.
Laura
>
> From: Matt Ostiguy <ostiguy@gmail.com>
> Date: 2004/10/06 Wed PM 03:14:45 EDT
> To: Paul Aviles <paviles@adjoined.com>
> CC: focus-ms@securityfocus.com
> Subject: Re: Restricting account to a computer only
>
> OOTB, Domain admins can logon to anything (because when you add a
> machine to a domain, the domain admins group is added to the local
> admin group, which has local logon right on both desktops and server),
> and Domain users can only logon to workstations because Server does
> not grant the local logon right to the local users group (which
> contains the Domain Users group). Any account that is not a member of
> either domain admins or users should not have any logon rights
> anywhere. So, for your scenario, I might look at creating a user with
> no group membership, and explicitly granting that account user rights
> on the machine(s) as necessary. If you have multiple machines and/or
> accounts performing this task, then I would probably use some
> combination of group policy and groups to get this done
>
> That said, figuring out what you need to assign might be difficult.
> Does the product you are deploying (I am assuming it is a product due
> to E2k not needing a service account) fully document what rights its
> account needs?
>
>
> On Tue, 5 Oct 2004 13:09:55 -0400, Paul Aviles <paviles@adjoined.com> wrote:
> > We want to restrict a service account only to login to one computer for
> > security reasons.
> >
> > This is for an exchange 2000 server and obviously we don't want anyone
> > to use the account/password to read people's emails since the account
> > must be a member of the Domain Exchange Admin (yeah/neah?). I found an
> > option under Account / Login To, but it says at the top "This feature
> > requires the NetBIOS protocol. In Computer Name, type the pre-Windows
> > 2000 computer name". We obviously don't use NetBios, is there any other
> > way to do this?
> > To make things even better... The Exchange server is also a DC...... I
> > didn't do it...
> >
> > The same concern I have if we create an account and put them in the
> > Backup Operators group. What can restrict that account to login only on
> > servera for example and not in all other workstations n the domain?
> >
> > Thanks so much for your help.
> >
> > Paul
> >
> > ---------------------------------------------------------------------------
> > ---------------------------------------------------------------------------
> >
> >
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Ansgar -59cobalt- Wiechers: "Re: Remote connections"
- Maybe in reply to: Matt Ostiguy: "Re: Restricting account to a computer only"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
