We help IT Professionals succeed at work.

Need services domain accounts or application domain accounts not be able to log on the domain.

Medium Priority
Last Modified: 2013-12-04
I have some domain accounts that are basically service account. These account are use for certain application like Veritas, or other third party applications... they need to be domain admin accounts in order to be working fine. So, is there anyway to remove the right for this accounts to log on the domain but keep doing their function as service account for these applications. Basically for security reasons what I don't want is people that know the password for this service accounts able to login on the domain with these services accounts.


Watch Question

You can disable login using these accounts, either in group policy, or on individual workstations.
But that is an exemption... It would also make it very difficult to rectify any fault related to permissions...
I suggest you increase the security level of your domain (If you haven't already) to 2003 and keep the passwords complex and secret..
If you were really really paranoid, you can always look at a smartcard technology...
There are many settings to stop people looking into system settings, just get your hands on a banks SOE and look at whats disabled...
You wouldn't want someone taking a registry hive away and reverse engineering it, so make the passwords long and complex, just incase they do, make it take them a lifetime....

Hope that helps.

Ph.D. Candidate
1- add them to a group
2- in domain default group policy go to
computer configuration
windows settings
security settings
local policies
deny log on localy , add this group
deny log on throough terminal service, add this group

also you can set it from acount settings
log in to add any computer name which is not exict
Another trick I like is to assign a login script to all of my service accounts that runs qlogoff.exe from http://www.joeware.net/freetools.  Doesn't affect the service account's ability to do its job, but if anyone tries to log on with it interactively, qlogoff.exe will immediately log them off again.


I like your solution, I think that can fit in my environment but the tool (qlogoff.exe) won't be approve because it's not a industry standard. Any idea about a microsoft support tool or similar commandile that can be a a substitution for this qlogoff.exe and it's suported by microsoft or other vendor?


Explore More ContentExplore courses, solutions, and other research materials related to this topic.