Re: Restrict both local machine accounts and domain accounts from login

From: Tekmazter (Sigs48_at_Hotmail.com)
Date: 11/16/05 

Date: Wed, 16 Nov 2005 15:11:52 -0500

Okay, I should say that I found out how to restrict logon accounts
immediately after posting this, so I will go into a new question that this
has created....

I restricted logon interactively via the local machine (servers in this
case) policy. I do not have in place any group policy settings which would
effectively override these settings. Okay, for the new question...

I do have service accounts that are also part of the Users group for which I
have disabled interactive logons. Some of them are listed explicitly when
using the local machine policy as having this right, however others
(sqldebugger) for example are not listed, but are members of the users
group.

Q. Will this have any effect on the service account if it attempts to run
against the machine when called upon and not having the logon interactively
permission? Of course I can always add that account explicitly too, but
before I go and dbl-up on permissions, I thought I'd ask first.

"Tekmazter" <Sigs48@Hotmail.com> wrote in message
news:uHHqoVu6FHA.3760@TK2MSFTNGP14.phx.gbl...
> Pretty straight forward question here and I can't seem to remember how to
> do this or the knowledge base article on it...
>
> Anyway... I would like to do the following:
>
> (!) DISallow all accounts both local and domain except for Enterprise
> Admins, Domain Admins, and local administrators at a particular machine
> from logging into my servers locally --meaning while sitting in front of
> the machine
>

Relevant Pages

  • Restricting logon hours specific to a computer
    ... I seem to remeber there's a way to restrict logon hours to a computer rather ... I don't want to change about 30 accounts to enforce ... restricted hours on a computer we have in the lobby. ...
    (microsoft.public.windows.server.sbs)
  • RE: Local Accounts
    ... domain user accounts administrators on the local machine. ... This will give them admin rights on the local machine ... though I can do this for the Administrator account as well. ...
    (microsoft.public.windows.server.sbs)
  • Re: Domain workstation cannot see the domain for adding user permissio
    ... problem to a domain controller, or a problem with it's security account. ... other machines see the local machine (and all created accounts on ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [opensuse] fstab: umount as user
    ... frequently dynamically created on the local machine on login and the ... Doesn't this qualify as dynamically created on the local machine? ... hundred workstations, several thousand user accounts, charged printer ... network administrators snmb, router, radius and firewall management can ...
    (SuSE)
  • Authentication Auditing
    ... We are trying to ensure that we have auditing enabled for all login attempts ... to either domain or local machine accounts. ... I believe that we have enabled auditing for domain level accounts through ... accounts on our domain controller's security logs but I am not seeing login ...
    (microsoft.public.win2000.security)