Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2070
  • Last Modified:

Non-InterActive user Accounts

Is it possible to set up a user account that a service can use to get a certain user-privilege, but to make it non-interactive so that a person couldn't use it to gain illegal access to a system if they acquired it's password?

I thought possibly limit it to zero workstations under the "Logon to.." account option.
0
tombo
Asked:
tombo
  • 3
1 Solution
 
vvkCommented:
You can gain or grant any type of access to account through UserManger/Policies/UserRights. To allow start service under specified account it must have logon as service rigt. Also you can disable rights as logog locally, logon from network and so on. If you want configure all user rights don't forget check Show advanced user rights option.
0
 
cerCommented:
For logon over network I wouldn't recommend the Policy. Because it is only one user it is easier to restrict the "logon at" of this user.
0
 
tomboAuthor Commented:
I don't think this was answered.
Yes - use the "Log on as service" right.
But since there is no 'exclude' option under User Rights you cannot remove just one user from a right (i.e. "Log on locally") easily - you would have to add individual users rather than groups. Therefore the "Log on locally" right is not an option here.
This then leaves the "Logon to.." option under Account Properties. If, as I suggested, I select for this account to logon to specific workstations and then not list any, does this:
- produce the effect of disallowing logon to ALL workstation members of the domain?, and
- affect the "Log on as service" right in any way?

0
 
cerCommented:
- create a new group "4service"
- create a new user  "special"
- join only this user to group 4service
- remove any other unnecessary groups from this user (user, domain-user)
- Open usermanager/policy/"logon locally"
  remove group everyone
  add group user, mainuser,domain-user

- Add the user special to policy "Logon as service"

Because all users are normaly joined in one group (domain-users) and you exclude user special from this group, you _CAN_ use the policy "Log on locally". It is THE option here.

To prevent logon over the network you can do the same for "use computer over network" policy.

If you choose the "Logon to .." property you change only the property of this one special user, not of all members of the domain. Because this property restricts logon _from_ (not _to_) specific workstations (over the network) it does not affect a local logon (which "logon as service" is).

I hope my answer is specific enough to convince you.

Please: Ask for more information _before_ grading an F. Just do not check any of the grade buttons and type in your text.

0
 
cerCommented:
tombo left you the following comment along with your grade:
Tut, tut, tut.......a little touchy on the grading subject - do we
lose our bonuses if we get too many 'Fs'?

I put an F because the only other option was D for acceptable, which
it wasn't. If it was D for poor I may have flicked one then.


Yes, you can read this somewhere in "how to use experts-exchange", F's are counted for experts and customers.
What you you should have done is: Not to mark F, D or anythink else. Just mark _nothing_, write a comment and submit. This will appear as a comment and the answer is still locked.

   Cer


0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now