By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
We are currently in the design/testing phase for a Windows 2000/AD deployment. One of the things we are hoping to do is use group policy to limit interactive logons. What we would like to do is somehow prevent "service accounts" from being able to log on locally/interactively. Unfortunately, too many administrators use these accounts to perform elevated tasks, and the idea of changing the passwords at this time is unrealistic given the current limited resources. Is this something that can be done? Thanks for your help.
You can assign the right to log on locally to a specific set of users. This can be done via group policy. It sounds like you would be applying this rule to servers, so you should consider putting together an OU with the servers in it. Then create a group policy assigned to the OU that allows only particular user accounts or groups to log on locally. However, you will need to do some testing. Some services will still need this right to operate correctly.