llarava
asked on
Need services domain accounts or application domain accounts not be able to log on the domain.
I have some domain accounts that are basically service account. These account are use for certain application like Veritas, or other third party applications... they need to be domain admin accounts in order to be working fine. So, is there anyway to remove the right for this accounts to log on the domain but keep doing their function as service account for these applications. Basically for security reasons what I don't want is people that know the password for this service accounts able to login on the domain with these services accounts.
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
LauraEHunterMVP,
I like your solution, I think that can fit in my environment but the tool (qlogoff.exe) won't be approve because it's not a industry standard. Any idea about a microsoft support tool or similar commandile that can be a a substitution for this qlogoff.exe and it's suported by microsoft or other vendor?
Thanks!
I like your solution, I think that can fit in my environment but the tool (qlogoff.exe) won't be approve because it's not a industry standard. Any idea about a microsoft support tool or similar commandile that can be a a substitution for this qlogoff.exe and it's suported by microsoft or other vendor?
Thanks!
But that is an exemption... It would also make it very difficult to rectify any fault related to permissions...
I suggest you increase the security level of your domain (If you haven't already) to 2003 and keep the passwords complex and secret..
If you were really really paranoid, you can always look at a smartcard technology...
There are many settings to stop people looking into system settings, just get your hands on a banks SOE and look at whats disabled...
You wouldn't want someone taking a registry hive away and reverse engineering it, so make the passwords long and complex, just incase they do, make it take them a lifetime....
Hope that helps.