Services account issue

  • Thread starter Thread starter BT
  • Start date Start date
B

BT

Hi all

Is it possible to create a services account so that it will use to startup
the services only, but cannot logon to workstation?

Please advice.
Thanks
BT
 
Hi all

Is it possible to create a services account so that it will use to startup
the services only, but cannot logon to workstation?

Please advice.
Thanks
BT
Click to expand...
Yes. Simply grant the account Logon as a Service and Deny logon locally using
Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
 
Thanks

How about if it is a domain user account with domain admin right? I've to
do it in domain secuirty policy or domain controller security policy?

Please advice.
BT
 
You really shouldn't give a service domain admin rights. It is almost
certainly far more rights than it actually needs. Look into delegation.

Outside of that, you cannot completely block an ID from being used in
any way but to start a service, there are multiple ways IDs can be used
outside of interactive auth such as NET USE /USER and through RUNAS or
some other tools that allow using alternate creds.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top