Re: Service Account only

• Previous message: Roger Abell [MVP]: "Re: Suppress File Download dialog at batch start"
• In reply to: Steven L Umbach: "Re: Service Account only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 17 Dec 2004 00:24:05 -0500

Probably an easier way is to configure machines the ID can be used to logon to
and select a fake name for the one and only.

However neither of these methods will prevent non-interactive logon methods such
as runas or net use /user.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Steven L Umbach wrote:
> Hi Fred.
> 
> To prevent an account from logging on locally you need to add it to the deny 
> logon locally user right for the computers you do not want it to be able to 
> logon to. You can do that at the domain level for all domain computers other 
> than domain controllers for which you would have to do it in the Domain 
> Controller Security Policy. There is also a user right for logon as a 
> service that can be configured for that domain user account as explained in 
> the link below. Be sure to test out configuration before rolling out. User 
> rights are configured in Group.security policy under computer 
> configuration/Windows settings/security settings/user rights. If you change 
> a security policy other than domain during your testing, keep in mind that 
> if you use secedit /refreshpolicy machine_policy /enforce first on the 
> domain controller and then on the domain computer to speed up security 
> policy propagation.  If still having problems, enable auditing of privilege 
> use for failure on the computer where you are trying to get that domain 
> account working as a service account and look in the security log for 
> failure events that may help solve the problem. --- Steve
> 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/granting_logon_as_service_right_on_the_host_computer.asp
> 
> "Fred" <fred@yahoo.com> wrote in message 
> news:LoWdnQjhX4Lqk1zcRVn-3A@giganews.com...
> 
>>Hello Folks,
>>
>>I have a situation where i would like to configure a domain account for 
>>service related tasks only. I want to remove the ability for the account 
>>to login from any computer, and just use it for service related tasks. 
>>Essentially we would like for our app partners to configure a few of their 
>>application services to use these accounts without having to worry about 
>>changing their passwords with the rest of the domain accounts. I know 
>>there is a way to do this in a system such as SAP and the auditors will 
>>even allow for this account to keep a never expiring password because it 
>>has such limited access. Can we do this in windows?
>>
>>Thanks in advance-
>>
>>Fred-
>>
> 
> 
> 

• Previous message: Roger Abell [MVP]: "Re: Suppress File Download dialog at batch start"
• In reply to: Steven L Umbach: "Re: Service Account only"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]