Q

Preventing service accounts from logging on locally in Win2k

We are currently in the design/testing phase for a Windows 2000/AD deployment. One of the things we are hoping to do is use group policy to limit interactive logons. What we would like to do is somehow prevent "service accounts" from being able to log on locally/interactively. Unfortunately, too many administrators use these accounts to perform elevated tasks, and the idea of changing the passwords at this time is unrealistic given the current limited resources. Is this something that can be done? Thanks for your help.
You can assign the right to log on locally to a specific set of users. This can be done via group policy. It sounds like you would be applying this rule to servers, so you should consider putting together an OU with the servers in it. Then create a group policy assigned to the OU that allows only particular user accounts or groups to log on locally. However, you will need to do some testing. Some services will still need this right to operate correctly.
This was last published in October 2003

Dig Deeper on Microsoft Active Directory

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close