[Webinar] Streamline your web hosting managementRegister Today


Need services domain accounts or application domain accounts not be able to log on the domain.

Posted on 2008-01-28
Medium Priority
Last Modified: 2013-12-04
I have some domain accounts that are basically service account. These account are use for certain application like Veritas, or other third party applications... they need to be domain admin accounts in order to be working fine. So, is there anyway to remove the right for this accounts to log on the domain but keep doing their function as service account for these applications. Basically for security reasons what I don't want is people that know the password for this service accounts able to login on the domain with these services accounts.


Question by:llarava
LVL 23

Expert Comment

ID: 20765454
You can disable login using these accounts, either in group policy, or on individual workstations.
But that is an exemption... It would also make it very difficult to rectify any fault related to permissions...
I suggest you increase the security level of your domain (If you haven't already) to 2003 and keep the passwords complex and secret..
If you were really really paranoid, you can always look at a smartcard technology...
There are many settings to stop people looking into system settings, just get your hands on a banks SOE and look at whats disabled...
You wouldn't want someone taking a registry hive away and reverse engineering it, so make the passwords long and complex, just incase they do, make it take them a lifetime....

Hope that helps.


Accepted Solution

Ahmed Abdel Salam earned 1000 total points
ID: 20765482
1- add them to a group
2- in domain default group policy go to
computer configuration
windows settings
security settings
local policies
deny log on localy , add this group
deny log on throough terminal service, add this group

also you can set it from acount settings
log in to add any computer name which is not exict
LVL 30

Assisted Solution

LauraEHunterMVP earned 1000 total points
ID: 20767984
Another trick I like is to assign a login script to all of my service accounts that runs qlogoff.exe from http://www.joeware.net/freetools.  Doesn't affect the service account's ability to do its job, but if anyone tries to log on with it interactively, qlogoff.exe will immediately log them off again.

Author Comment

ID: 20768066
I like your solution, I think that can fit in my environment but the tool (qlogoff.exe) won't be approve because it's not a industry standard. Any idea about a microsoft support tool or similar commandile that can be a a substitution for this qlogoff.exe and it's suported by microsoft or other vendor?


Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

613 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question