Re: Restrict both local machine accounts and domain accounts from login

From: Tekmazter (
Date: 11/17/05

Date: Thu, 17 Nov 2005 11:32:24 -0500

Good advice Steve,

It looks like everything is working out correctly here. I appreciate
it --thanks!

"Steven L Umbach" <> wrote in message
>I believe that they will not have a problem as long as they have the user
>right to logon as a service. Of course your best bet is to test out the
>configuration and for services configured to start manually logon as a
>local administrator and see if you can start the service. You could also
>configure auditing on your server for audit privilege use for failure and
>then look in the security log for failure events to see if there are
>problems with the service. --- Steve
> "Tekmazter" <> wrote in message
> news:eS8p9nu6FHA.1420@TK2MSFTNGP09.phx.gbl...
>> Okay, I should say that I found out how to restrict logon accounts
>> immediately after posting this, so I will go into a new question that
>> this has created....
>> I restricted logon interactively via the local machine (servers in this
>> case) policy. I do not have in place any group policy settings which
>> would effectively override these settings. Okay, for the new question...
>> I do have service accounts that are also part of the Users group for
>> which I have disabled interactive logons. Some of them are listed
>> explicitly when using the local machine policy as having this right,
>> however others (sqldebugger) for example are not listed, but are members
>> of the users group.
>> Q. Will this have any effect on the service account if it attempts to run
>> against the machine when called upon and not having the logon
>> interactively permission? Of course I can always add that account
>> explicitly too, but before I go and dbl-up on permissions, I thought I'd
>> ask first.
>> "Tekmazter" <> wrote in message
>> news:uHHqoVu6FHA.3760@TK2MSFTNGP14.phx.gbl...
>>> Pretty straight forward question here and I can't seem to remember how
>>> to do this or the knowledge base article on it...
>>> Anyway... I would like to do the following:
>>> (!) DISallow all accounts both local and domain except for Enterprise
>>> Admins, Domain Admins, and local administrators at a particular machine
>>> from logging into my servers locally --meaning while sitting in front of
>>> the machine

Relevant Pages

  • Re: Stop Certain user accounts logging onto pc??
    ... managing User Rights in the Local Security Policy. ... An account in the logon right, ... the most simple approach is to just list the accounts ... By default, this is granted to Users group, and, by ...
  • Re: Stop Certain user accounts logging onto pc??
    ... i've played around with the setting in the local computer policy, ... All i want ot do is make sure a certain DOMAIN account cannot logon to a machine.. ... the most simple approach is to just list the accounts ... By default, this is granted to Users group, and, by ...
  • Re: Disabling Interactibg Login for Service Accounts
    ... Is there any way that I can prevent certain accounts (service accounts used for applications) from being used to logon interactively (i.e though physical logon at the machine, terminal services, Remote Desktop). ... But that would have to be done explicitly on every computer in the domain and it would still not prevent users from logging on through terminal services or remote desktop. ...
  • Re: cant login as domain user on XP without Domain Users in Local Adm
    ... The machine's local policy does not recognize the account as having ... member of that machine's Users group. ... > allowed to log on interactively and refuses logon. ...
  • RE:How to disable interactive logon for service accounts on W2K a nd W2K3
    ... >logon for service accounts on W2K and W2K3. ... "Deny local logon"; you can add your service accounts ... education and the case study affords you unmatched consulting experience. ... Computer Emergency Response Teams, and Digital Investigations. ...