Re: Prevent Users interactive login, but allow them to run batch jobs
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 20 Aug 2007 23:50:58 -0700
"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:28206A25-9B62-4AC7-BD1B-29873E82B760@xxxxxxxxxxxxxxxx
I have a Windows 2000 ADS domain. I need some domain user accounta who can
run batch jobs but they should not be able to login to domain by pressing
alt-ctl-delete. Is it possible to implement?
Is it possible? Yes.
Is it simple to implement? That depends on how your Windows
deployment is currently configured.
In the default, user accounts are members of Domain Users, and
Domain Users as well as Authenticated Users are made members
of the Users group of all domain joined machines.
You want an account that
a) does not have a grant of Log on locally, or if it does then is
also listed in the Deny log on locally (these are in User Rights)
b) does have user right grant of batch logon
Just how you effect it so that the account meets those depends on
how you have or have not taken control over user rights on members.
One possible approach is to make the accounts not be members of
Domain Users. However, that does not fully address the issue as
Authenticated Users would still allow local login to the account.
Another possible approach is to use the Deny local login setting
but that gets very messy in an infrastructure as the only way to set
that centrally (without coding that connects to each machine and
sets it) is via GPO and that will wipe out anything already listed
in that setting.
Roger
.
- Prev by Date: Re: Compression on a folder
- Next by Date: Re: Prevent Users interactive login, but allow them to run batch j
- Previous by thread: Compression on a folder
- Next by thread: Re: Prevent Users interactive login, but allow them to run batch j
- Index(es):
Relevant Pages
|
|
