| Author |
Message |
Fred
Guest
|
 Posted:
Thu Dec 16, 2004 10:34 am Post subject:
Service Account only |
|
|
Hello Folks,
I have a situation where i would like to configure a domain account for
service related tasks only. I want to remove the ability for the account to
login from any computer, and just use it for service related tasks.
Essentially we would like for our app partners to configure a few of their
application services to use these accounts without having to worry about
changing their passwords with the rest of the domain accounts. I know there
is a way to do this in a system such as SAP and the auditors will even allow
for this account to keep a never expiring password because it has such
limited access. Can we do this in windows?
Thanks in advance-
Fred- |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Thu Dec 16, 2004 11:30 am Post subject:
Re: Service Account only |
|
|
Hi Fred.
To prevent an account from logging on locally you need to add it to the deny
logon locally user right for the computers you do not want it to be able to
logon to. You can do that at the domain level for all domain computers other
than domain controllers for which you would have to do it in the Domain
Controller Security Policy. There is also a user right for logon as a
service that can be configured for that domain user account as explained in
the link below. Be sure to test out configuration before rolling out. User
rights are configured in Group.security policy under computer
configuration/Windows settings/security settings/user rights. If you change
a security policy other than domain during your testing, keep in mind that
if you use secedit /refreshpolicy machine_policy /enforce first on the
domain controller and then on the domain computer to speed up security
policy propagation. If still having problems, enable auditing of privilege
use for failure on the computer where you are trying to get that domain
account working as a service account and look in the security log for
failure events that may help solve the problem. --- Steve
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/granting_logon_as_service_right_on_the_host_computer.asp
"Fred" <fred@yahoo.com> wrote in message
news:LoWdnQjhX4Lqk1zcRVn-3A@giganews.com...
| Quote: | Hello Folks,
I have a situation where i would like to configure a domain account for
service related tasks only. I want to remove the ability for the account
to login from any computer, and just use it for service related tasks.
Essentially we would like for our app partners to configure a few of their
application services to use these accounts without having to worry about
changing their passwords with the rest of the domain accounts. I know
there is a way to do this in a system such as SAP and the auditors will
even allow for this account to keep a never expiring password because it
has such limited access. Can we do this in windows?
Thanks in advance-
Fred-
|
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted:
Fri Dec 17, 2004 11:24 am Post subject:
Re: Service Account only |
|
|
Probably an easier way is to configure machines the ID can be used to logon to
and select a fake name for the one and only.
However neither of these methods will prevent non-interactive logon methods such
as runas or net use /user.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Steven L Umbach wrote:
| Quote: | Hi Fred.
To prevent an account from logging on locally you need to add it to the deny
logon locally user right for the computers you do not want it to be able to
logon to. You can do that at the domain level for all domain computers other
than domain controllers for which you would have to do it in the Domain
Controller Security Policy. There is also a user right for logon as a
service that can be configured for that domain user account as explained in
the link below. Be sure to test out configuration before rolling out. User
rights are configured in Group.security policy under computer
configuration/Windows settings/security settings/user rights. If you change
a security policy other than domain during your testing, keep in mind that
if you use secedit /refreshpolicy machine_policy /enforce first on the
domain controller and then on the domain computer to speed up security
policy propagation. If still having problems, enable auditing of privilege
use for failure on the computer where you are trying to get that domain
account working as a service account and look in the security log for
failure events that may help solve the problem. --- Steve
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/granting_logon_as_service_right_on_the_host_computer.asp
"Fred" <fred@yahoo.com> wrote in message
news:LoWdnQjhX4Lqk1zcRVn-3A@giganews.com...
Hello Folks,
I have a situation where i would like to configure a domain account for
service related tasks only. I want to remove the ability for the account
to login from any computer, and just use it for service related tasks.
Essentially we would like for our app partners to configure a few of their
application services to use these accounts without having to worry about
changing their passwords with the rest of the domain accounts. I know
there is a way to do this in a system such as SAP and the auditors will
even allow for this account to keep a never expiring password because it
has such limited access. Can we do this in windows?
Thanks in advance-
Fred-
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in