Solved

Non-InterActive user Accounts

Posted on 1997-04-06
5
1,442 Views
Last Modified: 2013-12-28
Is it possible to set up a user account that a service can use to get a certain user-privilege, but to make it non-interactive so that a person couldn't use it to gain illegal access to a system if they acquired it's password?

I thought possibly limit it to zero workstations under the "Logon to.." account option.
0
Comment
Question by:tombo
  • 3
5 Comments
 
LVL 4

Expert Comment

by:vvk
ID: 1777889
You can gain or grant any type of access to account through UserManger/Policies/UserRights. To allow start service under specified account it must have logon as service rigt. Also you can disable rights as logog locally, logon from network and so on. If you want configure all user rights don't forget check Show advanced user rights option.
0
 
LVL 5

Expert Comment

by:cer
ID: 1777890
For logon over network I wouldn't recommend the Policy. Because it is only one user it is easier to restrict the "logon at" of this user.
0
 

Author Comment

by:tombo
ID: 1777891
I don't think this was answered.
Yes - use the "Log on as service" right.
But since there is no 'exclude' option under User Rights you cannot remove just one user from a right (i.e. "Log on locally") easily - you would have to add individual users rather than groups. Therefore the "Log on locally" right is not an option here.
This then leaves the "Logon to.." option under Account Properties. If, as I suggested, I select for this account to logon to specific workstations and then not list any, does this:
- produce the effect of disallowing logon to ALL workstation members of the domain?, and
- affect the "Log on as service" right in any way?

0
 
LVL 5

Accepted Solution

by:
cer earned 250 total points
ID: 1777892
- create a new group "4service"
- create a new user  "special"
- join only this user to group 4service
- remove any other unnecessary groups from this user (user, domain-user)
- Open usermanager/policy/"logon locally"
  remove group everyone
  add group user, mainuser,domain-user

- Add the user special to policy "Logon as service"

Because all users are normaly joined in one group (domain-users) and you exclude user special from this group, you _CAN_ use the policy "Log on locally". It is THE option here.

To prevent logon over the network you can do the same for "use computer over network" policy.

If you choose the "Logon to .." property you change only the property of this one special user, not of all members of the domain. Because this property restricts logon _from_ (not _to_) specific workstations (over the network) it does not affect a local logon (which "logon as service" is).

I hope my answer is specific enough to convince you.

Please: Ask for more information _before_ grading an F. Just do not check any of the grade buttons and type in your text.

0
 
LVL 5

Expert Comment

by:cer
ID: 1777893
tombo left you the following comment along with your grade:
Tut, tut, tut.......a little touchy on the grading subject - do we
lose our bonuses if we get too many 'Fs'?

I put an F because the only other option was D for acceptable, which
it wasn't. If it was D for poor I may have flicked one then.


Yes, you can read this somewhere in "how to use experts-exchange", F's are counted for experts and customers.
What you you should have done is: Not to mark F, D or anythink else. Just mark _nothing_, write a comment and submit. This will appear as a comment and the answer is still locked.

   Cer


0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question