Problem solve Get help with specific problems with your technologies, process and projects.

Preventing service accounts from logging on locally in Win2k

We are currently in the design/testing phase for a Windows 2000/AD deployment. One of the things we are hoping to do is use group policy to limit interactive logons. What we would like to do is somehow prevent "service accounts" from being able to log on locally/interactively. Unfortunately, too many administrators use these accounts to perform elevated tasks, and the idea of changing the passwords at this time is unrealistic given the current limited resources. Is this something that can be done? Thanks for your help.
You can assign the right to log on locally to a specific set of users. This can be done via group policy. It sounds like you would be applying this rule to servers, so you should consider putting together an OU with the servers in it. Then create a group policy assigned to the OU that allows only particular user accounts or groups to log on locally. However, you will need to do some testing. Some services will still need this right to operate correctly.

Dig Deeper on Microsoft Active Directory

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.