Re: Restrict both local machine accounts and domain accounts from login

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/16/05 

Date: Wed, 16 Nov 2005 16:47:26 -0600

I believe that they will not have a problem as long as they have the user
right to logon as a service. Of course your best bet is to test out the
configuration and for services configured to start manually logon as a local
administrator and see if you can start the service. You could also configure
auditing on your server for audit privilege use for failure and then look in
the security log for failure events to see if there are problems with the
service. --- Steve

"Tekmazter" <Sigs48@Hotmail.com> wrote in message
news:eS8p9nu6FHA.1420@TK2MSFTNGP09.phx.gbl...
> Okay, I should say that I found out how to restrict logon accounts
> immediately after posting this, so I will go into a new question that this
> has created....
>
> I restricted logon interactively via the local machine (servers in this
> case) policy. I do not have in place any group policy settings which
> would effectively override these settings. Okay, for the new question...
>
> I do have service accounts that are also part of the Users group for which
> I have disabled interactive logons. Some of them are listed explicitly
> when using the local machine policy as having this right, however others
> (sqldebugger) for example are not listed, but are members of the users
> group.
>
> Q. Will this have any effect on the service account if it attempts to run
> against the machine when called upon and not having the logon
> interactively permission? Of course I can always add that account
> explicitly too, but before I go and dbl-up on permissions, I thought I'd
> ask first.
>
>
> "Tekmazter" <Sigs48@Hotmail.com> wrote in message
> news:uHHqoVu6FHA.3760@TK2MSFTNGP14.phx.gbl...
>> Pretty straight forward question here and I can't seem to remember how to
>> do this or the knowledge base article on it...
>>
>> Anyway... I would like to do the following:
>>
>> (!) DISallow all accounts both local and domain except for Enterprise
>> Admins, Domain Admins, and local administrators at a particular machine
>> from logging into my servers locally --meaning while sitting in front of
>> the machine
>>
>
>

Relevant Pages

  • Re: AD 2000, Blank passwords, and Group Policy
    ... I set up an account with password policy enforced and experienced the same as you ... The only thing I can suggest is to leave the accounts as they ... accounts to change password at next logon. ... I could set the policy to not enforce this until after all ...
    (microsoft.public.win2000.security)
  • Re: User Login
    ... filtering so that only this group gets the deny logon locally privilegs. ... the domain group called Domain Users is a member of the local ... put those user accounts into domain group and apply a GPO to the OU ... "Meinolf Weber" wrote: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Stop Certain user accounts logging onto pc??
    ... i've played around with the setting in the local computer policy, ... All i want ot do is make sure a certain DOMAIN account cannot logon to a machine.. ... the most simple approach is to just list the accounts ... By default, this is granted to Users group, and, by ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Stop Certain user accounts logging onto pc??
    ... managing User Rights in the Local Security Policy. ... An account in the logon right, ... the most simple approach is to just list the accounts ... By default, this is granted to Users group, and, by ...
    (microsoft.public.windowsxp.security_admin)
  • Re: RODC ...
    ... Win2003 DCs with RODC the WAN link between the RODC and RWDC goes ... Only then the users are able to logon if the WAN link is down. ... The Password Replication Policy acts as an access control list. ... The Password Replication Policy lists the accounts that are permitted ...
    (microsoft.public.windows.server.active_directory)
Quantcast