Disabling Interactive Logon for Service Accounts

Discussion in 'Active Directory' started by CP, Apr 25, 2006.

  1. CP

    CP Guest

    Hi there,

    Is there any way that I can prevent certain accounts (service accounts used
    for applications) from being used to logon interactively (i.e though physical
    logon at the machine, terminal services, Remote Desktop).

    The way I see it, one way to accomplish this would be to grant the 'Deny
    Logon Locally' right to these user accounts. But that would have to be done
    explicitly on every computer in the domain and it would still not prevent
    users from logging on through terminal services or remote desktop.

    Thanks in advance for any suggestions.

    Regards

    CP
     
    CP, Apr 25, 2006
    #1
    1. Advertisements

  2. Denying logon locally should stop RDP logons. Are you seeing differently?
    The only problem is it can stop certain scheduled tasks, etc. as well.
    However if this is just a service account then that should be fine. You can
    also deny logon via RDP if you like.

    This is probably a recommended security practice.
     
    Paul Williams [MVP], Apr 25, 2006
    #2
    1. Advertisements

  3. CP

    CP Guest

    Thanks for your reply, Paul.

    I have not tested if 'Deny Local Logon' would not stop RDP logons. I was
    assuming that local logons were strictly physical logons at the computer.

    But presuming that it does prevent all interactive logons, how do I effect
    this across the Enterprise..........Group Policy ???

    Regards

    CP
     
    CP, Apr 25, 2006
    #3
  4. Yes. You can configure this right in a new GPO linked to the domain.

    Be careful implementing this. Logon locally is defined via local GPO. If
    you modify the domain GPO, you override the local settings and only that
    defined in the domain GPO is enforced. Make sure you look at what is
    already configured and configure the same plus your new requirements.

    If you are just going to modify Deny logon locally, the above doesn't apply,
    but take heed anyway.

    Test this on one or computers in an isolated OU before rolling domain wide.
     
    Paul Williams [MVP], Apr 26, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.