Solved

Non-InterActive user Accounts

Posted on 1997-04-06
5
1,671 Views
Last Modified: 2013-12-28
Is it possible to set up a user account that a service can use to get a certain user-privilege, but to make it non-interactive so that a person couldn't use it to gain illegal access to a system if they acquired it's password?

I thought possibly limit it to zero workstations under the "Logon to.." account option.
0
Comment
Question by:tombo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 4

Expert Comment

by:vvk
ID: 1777889
You can gain or grant any type of access to account through UserManger/Policies/UserRights. To allow start service under specified account it must have logon as service rigt. Also you can disable rights as logog locally, logon from network and so on. If you want configure all user rights don't forget check Show advanced user rights option.
0
 
LVL 5

Expert Comment

by:cer
ID: 1777890
For logon over network I wouldn't recommend the Policy. Because it is only one user it is easier to restrict the "logon at" of this user.
0
 

Author Comment

by:tombo
ID: 1777891
I don't think this was answered.
Yes - use the "Log on as service" right.
But since there is no 'exclude' option under User Rights you cannot remove just one user from a right (i.e. "Log on locally") easily - you would have to add individual users rather than groups. Therefore the "Log on locally" right is not an option here.
This then leaves the "Logon to.." option under Account Properties. If, as I suggested, I select for this account to logon to specific workstations and then not list any, does this:
- produce the effect of disallowing logon to ALL workstation members of the domain?, and
- affect the "Log on as service" right in any way?

0
 
LVL 5

Accepted Solution

by:
cer earned 250 total points
ID: 1777892
- create a new group "4service"
- create a new user  "special"
- join only this user to group 4service
- remove any other unnecessary groups from this user (user, domain-user)
- Open usermanager/policy/"logon locally"
  remove group everyone
  add group user, mainuser,domain-user

- Add the user special to policy "Logon as service"

Because all users are normaly joined in one group (domain-users) and you exclude user special from this group, you _CAN_ use the policy "Log on locally". It is THE option here.

To prevent logon over the network you can do the same for "use computer over network" policy.

If you choose the "Logon to .." property you change only the property of this one special user, not of all members of the domain. Because this property restricts logon _from_ (not _to_) specific workstations (over the network) it does not affect a local logon (which "logon as service" is).

I hope my answer is specific enough to convince you.

Please: Ask for more information _before_ grading an F. Just do not check any of the grade buttons and type in your text.

0
 
LVL 5

Expert Comment

by:cer
ID: 1777893
tombo left you the following comment along with your grade:
Tut, tut, tut.......a little touchy on the grading subject - do we
lose our bonuses if we get too many 'Fs'?

I put an F because the only other option was D for acceptable, which
it wasn't. If it was D for poor I may have flicked one then.


Yes, you can read this somewhere in "how to use experts-exchange", F's are counted for experts and customers.
What you you should have done is: Not to mark F, D or anythink else. Just mark _nothing_, write a comment and submit. This will appear as a comment and the answer is still locked.

   Cer


0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question