Re: Restrict both local machine accounts and domain accounts from login
From: Tekmazter (Sigs48_at_Hotmail.com)
Date: Thu, 17 Nov 2005 11:32:24 -0500
Good advice Steve,
It looks like everything is working out correctly here. I appreciate
"Steven L Umbach" <firstname.lastname@example.org> wrote in message
>I believe that they will not have a problem as long as they have the user
>right to logon as a service. Of course your best bet is to test out the
>configuration and for services configured to start manually logon as a
>local administrator and see if you can start the service. You could also
>configure auditing on your server for audit privilege use for failure and
>then look in the security log for failure events to see if there are
>problems with the service. --- Steve
> "Tekmazter" <Sigs48@Hotmail.com> wrote in message
>> Okay, I should say that I found out how to restrict logon accounts
>> immediately after posting this, so I will go into a new question that
>> this has created....
>> I restricted logon interactively via the local machine (servers in this
>> case) policy. I do not have in place any group policy settings which
>> would effectively override these settings. Okay, for the new question...
>> I do have service accounts that are also part of the Users group for
>> which I have disabled interactive logons. Some of them are listed
>> explicitly when using the local machine policy as having this right,
>> however others (sqldebugger) for example are not listed, but are members
>> of the users group.
>> Q. Will this have any effect on the service account if it attempts to run
>> against the machine when called upon and not having the logon
>> interactively permission? Of course I can always add that account
>> explicitly too, but before I go and dbl-up on permissions, I thought I'd
>> ask first.
>> "Tekmazter" <Sigs48@Hotmail.com> wrote in message
>>> Pretty straight forward question here and I can't seem to remember how
>>> to do this or the knowledge base article on it...
>>> Anyway... I would like to do the following:
>>> (!) DISallow all accounts both local and domain except for Enterprise
>>> Admins, Domain Admins, and local administrators at a particular machine
>>> from logging into my servers locally --meaning while sitting in front of
>>> the machine