Solved

Non-InterActive user Accounts

Posted on 1997-04-06
5
1,383 Views
Last Modified: 2013-12-28
Is it possible to set up a user account that a service can use to get a certain user-privilege, but to make it non-interactive so that a person couldn't use it to gain illegal access to a system if they acquired it's password?

I thought possibly limit it to zero workstations under the "Logon to.." account option.
0
Comment
Question by:tombo
  • 3
5 Comments
 
LVL 4

Expert Comment

by:vvk
ID: 1777889
You can gain or grant any type of access to account through UserManger/Policies/UserRights. To allow start service under specified account it must have logon as service rigt. Also you can disable rights as logog locally, logon from network and so on. If you want configure all user rights don't forget check Show advanced user rights option.
0
 
LVL 5

Expert Comment

by:cer
ID: 1777890
For logon over network I wouldn't recommend the Policy. Because it is only one user it is easier to restrict the "logon at" of this user.
0
 

Author Comment

by:tombo
ID: 1777891
I don't think this was answered.
Yes - use the "Log on as service" right.
But since there is no 'exclude' option under User Rights you cannot remove just one user from a right (i.e. "Log on locally") easily - you would have to add individual users rather than groups. Therefore the "Log on locally" right is not an option here.
This then leaves the "Logon to.." option under Account Properties. If, as I suggested, I select for this account to logon to specific workstations and then not list any, does this:
- produce the effect of disallowing logon to ALL workstation members of the domain?, and
- affect the "Log on as service" right in any way?

0
 
LVL 5

Accepted Solution

by:
cer earned 250 total points
ID: 1777892
- create a new group "4service"
- create a new user  "special"
- join only this user to group 4service
- remove any other unnecessary groups from this user (user, domain-user)
- Open usermanager/policy/"logon locally"
  remove group everyone
  add group user, mainuser,domain-user

- Add the user special to policy "Logon as service"

Because all users are normaly joined in one group (domain-users) and you exclude user special from this group, you _CAN_ use the policy "Log on locally". It is THE option here.

To prevent logon over the network you can do the same for "use computer over network" policy.

If you choose the "Logon to .." property you change only the property of this one special user, not of all members of the domain. Because this property restricts logon _from_ (not _to_) specific workstations (over the network) it does not affect a local logon (which "logon as service" is).

I hope my answer is specific enough to convince you.

Please: Ask for more information _before_ grading an F. Just do not check any of the grade buttons and type in your text.

0
 
LVL 5

Expert Comment

by:cer
ID: 1777893
tombo left you the following comment along with your grade:
Tut, tut, tut.......a little touchy on the grading subject - do we
lose our bonuses if we get too many 'Fs'?

I put an F because the only other option was D for acceptable, which
it wasn't. If it was D for poor I may have flicked one then.


Yes, you can read this somewhere in "how to use experts-exchange", F's are counted for experts and customers.
What you you should have done is: Not to mark F, D or anythink else. Just mark _nothing_, write a comment and submit. This will appear as a comment and the answer is still locked.

   Cer


0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question