1

Background: An application requires that user objects be created to contain various users' information. These user objects exist for their data only, and the user objects should not be able to log in, have access to files, or do anything whatsoever. Additionally, the user objects cannot be disabled due to the application's functionality.

What level of access does a user object have by default when created (assume a typical simple domain with a DC and a file server)? What needs to be done to lock these user objects down to nullify that access?

Bigbio2002
  • 2,823
  • 12
  • 35
  • 54

1 Answers1

3

A user account by default has read access to most other objects and their attributes in AD. You can minimize access by assigning a long random password, and creating a special security group for those accounts. In the Default Domain Policy, assign that group the following Windows rights located at Computer Configuration > Policies > Windows Settings > Security Settings > User Rights Assignment:

  • Deny access this computer from the network
  • Deny log on as a batch job
  • Deny log on as a service
  • Deny log on locally
  • Deny log on through Remote Desktop Services

If marking the account as disabled is not an option, you may want to test if other account attributes would work for effectively preventing the account from being used, such as marking the account as Expired (Account tab > Set expiration date in the past), and/or SmartCard required.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • I was thinking something along these lines, but didn't know what permissions were needed. Thanks! What about the default membership in Domain Users; what access does that give, and should it be removed? Will restricting logon hours to "never" be sufficient to protect against login? What if someone tries right-click > run as different user and tries to use one of these accounts? – Bigbio2002 Mar 25 '15 at 19:13