Restrict interactive logon on AD service accounts
Max Coder
There is a service account that is a member of the domain admins group. We are trying to restrict our service accounts in AD to do interactive logon process for Domain Controller machines. What is the best way to lock out the ability to use that account without affecting the purpose of a service account?
Can we safely check the "Deny log on locally" and "Deny log on through Terminal Services" tickbox in AD under Default Domain controller policy?
Aakash Shah
You can add only the DCs into the “Log on to” field (under the Account tab) of the user. This will prevent this service account from being used from other computers that are not listed in the “Log on to” field.
-Aakash Shah
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/00dadf80-1384-4e41-a6cf-1e4ba9df4378n%40googlegroups.com.
Charles F Sullivan
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BN0P221MB0430816D3CEB6D35012EF724F2C42%40BN0P221MB0430.NAMP221.PROD.OUTLOOK.COM.
Charlie Sullivan
Principal Windows Systems Administrator
Orlebeck, Geoffrey
What is the service account doing that requires Domain Admin membership? Much of AD work can be delegated to a lower-level privilege, so would be curious on “the why” of the service account being a Domain Admin.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BN0P221MB0430816D3CEB6D35012EF724F2C42%40BN0P221MB0430.NAMP221.PROD.OUTLOOK.COM.