Solved

Non-InterActive user Accounts

Posted on 1997-04-06
5
1,291 Views
Last Modified: 2013-12-28
Is it possible to set up a user account that a service can use to get a certain user-privilege, but to make it non-interactive so that a person couldn't use it to gain illegal access to a system if they acquired it's password?

I thought possibly limit it to zero workstations under the "Logon to.." account option.
0
Comment
Question by:tombo
  • 3
5 Comments
 
LVL 4

Expert Comment

by:vvk
ID: 1777889
You can gain or grant any type of access to account through UserManger/Policies/UserRights. To allow start service under specified account it must have logon as service rigt. Also you can disable rights as logog locally, logon from network and so on. If you want configure all user rights don't forget check Show advanced user rights option.
0
 
LVL 5

Expert Comment

by:cer
ID: 1777890
For logon over network I wouldn't recommend the Policy. Because it is only one user it is easier to restrict the "logon at" of this user.
0
 

Author Comment

by:tombo
ID: 1777891
I don't think this was answered.
Yes - use the "Log on as service" right.
But since there is no 'exclude' option under User Rights you cannot remove just one user from a right (i.e. "Log on locally") easily - you would have to add individual users rather than groups. Therefore the "Log on locally" right is not an option here.
This then leaves the "Logon to.." option under Account Properties. If, as I suggested, I select for this account to logon to specific workstations and then not list any, does this:
- produce the effect of disallowing logon to ALL workstation members of the domain?, and
- affect the "Log on as service" right in any way?

0
 
LVL 5

Accepted Solution

by:
cer earned 250 total points
ID: 1777892
- create a new group "4service"
- create a new user  "special"
- join only this user to group 4service
- remove any other unnecessary groups from this user (user, domain-user)
- Open usermanager/policy/"logon locally"
  remove group everyone
  add group user, mainuser,domain-user

- Add the user special to policy "Logon as service"

Because all users are normaly joined in one group (domain-users) and you exclude user special from this group, you _CAN_ use the policy "Log on locally". It is THE option here.

To prevent logon over the network you can do the same for "use computer over network" policy.

If you choose the "Logon to .." property you change only the property of this one special user, not of all members of the domain. Because this property restricts logon _from_ (not _to_) specific workstations (over the network) it does not affect a local logon (which "logon as service" is).

I hope my answer is specific enough to convince you.

Please: Ask for more information _before_ grading an F. Just do not check any of the grade buttons and type in your text.

0
 
LVL 5

Expert Comment

by:cer
ID: 1777893
tombo left you the following comment along with your grade:
Tut, tut, tut.......a little touchy on the grading subject - do we
lose our bonuses if we get too many 'Fs'?

I put an F because the only other option was D for acceptable, which
it wasn't. If it was D for poor I may have flicked one then.


Yes, you can read this somewhere in "how to use experts-exchange", F's are counted for experts and customers.
What you you should have done is: Not to mark F, D or anythink else. Just mark _nothing_, write a comment and submit. This will appear as a comment and the answer is still locked.

   Cer


0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now