3

Possible Duplicate:
Prevent service accounts from logging in locally or remotely

I've got a few accounts being used to run various services eg SQL.Service, TFS.Application, etc... and want to mark those accounts as not supporting interactive login in AD

Presumably I should put them in a specific security group (I've created one called MyOrg.Services) but I don't know how to flag users in that group as being services not "real" users

Community
  • 1
Basic
  • 426
  • 2
  • 9
  • 23
  • @MichelZ Thanks - I searched quite a few times but I guess using "Interactive" as a keyword was scuppering me – Basic Jul 03 '12 at 16:53
  • @MichelZ Actually, I don't think that quite answers my question. Unless the truth is that I need to apply a _Machine_-specific policy to every computer in the domain, specifically _barring_ different types login as opposed to flagging the user account(s) in some way? – Basic Jul 03 '12 at 16:54
  • I think this is the way it is. You can do it trough Group Policy, and assign an AD Group to the Deny Logon Locally to have it more sophisticated if you want.. ? – MichelZ Jul 03 '12 at 16:55

2 Answers2

3

I think a Managed Service Account would meet your requirements.

unhappyCrackers1
  • 977
  • 1
  • 6
  • 18
3

The process is relatively simple. Create your user as you would a normal user. Open the "Local Security Policy" editor (under administrative tools) and drill down to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> user Rights Assignment, and you'll find "Deny log on locally".

From there, open it up & add the user(s) in question.

You may also want to add them to the "Log on as Service" policy as well for the sake of completeness.

There's several spiffy other options you may want to play with in there as well.

TheCompWiz
  • 7,409
  • 17
  • 23