Q

Preventing service accounts from logging on locally in Win2k

We are currently in the design/testing phase for a Windows 2000/AD deployment. One of the things we are hoping to do is use group policy to limit interactive logons. What we would like to do is somehow prevent "service accounts" from being able to log on locally/interactively. Unfortunately, too many administrators use these accounts to perform elevated tasks, and the idea of changing the passwords at this time is unrealistic given the current limited resources. Is this something that can be done? Thanks for your help.
You can assign the right to log on locally to a specific set of users. This can be done via group policy. It sounds like you would be applying this rule to servers, so you should consider putting together an OU with the servers in it. Then create a group policy assigned to the OU that allows only particular user accounts or groups to log on locally. However, you will need to do some testing. Some services will still need this right to operate correctly.
This was first published in October 2003
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close