Re: Service Account only

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/16/04


Date: Wed, 15 Dec 2004 23:30:10 -0600

Hi Fred.

To prevent an account from logging on locally you need to add it to the deny
logon locally user right for the computers you do not want it to be able to
logon to. You can do that at the domain level for all domain computers other
than domain controllers for which you would have to do it in the Domain
Controller Security Policy. There is also a user right for logon as a
service that can be configured for that domain user account as explained in
the link below. Be sure to test out configuration before rolling out. User
rights are configured in Group.security policy under computer
configuration/Windows settings/security settings/user rights. If you change
a security policy other than domain during your testing, keep in mind that
if you use secedit /refreshpolicy machine_policy /enforce first on the
domain controller and then on the domain computer to speed up security
policy propagation. If still having problems, enable auditing of privilege
use for failure on the computer where you are trying to get that domain
account working as a service account and look in the security log for
failure events that may help solve the problem. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/granting_logon_as_service_right_on_the_host_computer.asp

"Fred" <fred@yahoo.com> wrote in message
news:LoWdnQjhX4Lqk1zcRVn-3A@giganews.com...
> Hello Folks,
>
> I have a situation where i would like to configure a domain account for
> service related tasks only. I want to remove the ability for the account
> to login from any computer, and just use it for service related tasks.
> Essentially we would like for our app partners to configure a few of their
> application services to use these accounts without having to worry about
> changing their passwords with the rest of the domain accounts. I know
> there is a way to do this in a system such as SAP and the auditors will
> even allow for this account to keep a never expiring password because it
> has such limited access. Can we do this in windows?
>
> Thanks in advance-
>
> Fred-
>



Relevant Pages

  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows server 2008 R2 freezes
    ... I don't know any free AV for server versions. ... But this can also be used during logon, ... Actually at 11.00 pm the backup was started. ... Account Domain: NT AUTHORITY ...
    (microsoft.public.windows.server.general)
  • Re: Service Account only
    ... However neither of these methods will prevent non-interactive logon methods such ... > To prevent an account from logging on locally you need to add it to the deny ... > Controller Security Policy. ... Be sure to test out configuration before rolling out. ...
    (microsoft.public.windows.server.security)
  • Re: Windows server 2008 R2 freezes
    ... But this can also be used during logon, see "Logon Type 8 - NetworkCleartext" in: ... Actually at 11.00 pm the backup was started. ... Account Domain: NT AUTHORITY ...
    (microsoft.public.windows.server.general)