Re: Restrict both local machine accounts and domain accounts from login

From: Tekmazter (
Date: 11/17/05

Date: Thu, 17 Nov 2005 11:32:24 -0500

Good advice Steve,

It looks like everything is working out correctly here. I appreciate
it --thanks!

"Steven L Umbach" <> wrote in message
>I believe that they will not have a problem as long as they have the user
>right to logon as a service. Of course your best bet is to test out the
>configuration and for services configured to start manually logon as a
>local administrator and see if you can start the service. You could also
>configure auditing on your server for audit privilege use for failure and
>then look in the security log for failure events to see if there are
>problems with the service. --- Steve
> "Tekmazter" <> wrote in message
> news:eS8p9nu6FHA.1420@TK2MSFTNGP09.phx.gbl...
>> Okay, I should say that I found out how to restrict logon accounts
>> immediately after posting this, so I will go into a new question that
>> this has created....
>> I restricted logon interactively via the local machine (servers in this
>> case) policy. I do not have in place any group policy settings which
>> would effectively override these settings. Okay, for the new question...
>> I do have service accounts that are also part of the Users group for
>> which I have disabled interactive logons. Some of them are listed
>> explicitly when using the local machine policy as having this right,
>> however others (sqldebugger) for example are not listed, but are members
>> of the users group.
>> Q. Will this have any effect on the service account if it attempts to run
>> against the machine when called upon and not having the logon
>> interactively permission? Of course I can always add that account
>> explicitly too, but before I go and dbl-up on permissions, I thought I'd
>> ask first.
>> "Tekmazter" <> wrote in message
>> news:uHHqoVu6FHA.3760@TK2MSFTNGP14.phx.gbl...
>>> Pretty straight forward question here and I can't seem to remember how
>>> to do this or the knowledge base article on it...
>>> Anyway... I would like to do the following:
>>> (!) DISallow all accounts both local and domain except for Enterprise
>>> Admins, Domain Admins, and local administrators at a particular machine
>>> from logging into my servers locally --meaning while sitting in front of
>>> the machine