Need services domain accounts or application domain accounts not be able to log on the domain.

I have some domain accounts that are basically service account. These account are use for certain application like Veritas, or other third party applications... they need to be domain admin accounts in order to be working fine. So, is there anyway to remove the right for this accounts to log on the domain but keep doing their function as service account for these applications. Basically for security reasons what I don't want is people that know the password for this service accounts able to login on the domain with these services accounts.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can disable login using these accounts, either in group policy, or on individual workstations.
But that is an exemption... It would also make it very difficult to rectify any fault related to permissions...
I suggest you increase the security level of your domain (If you haven't already) to 2003 and keep the passwords complex and secret..
If you were really really paranoid, you can always look at a smartcard technology...
There are many settings to stop people looking into system settings, just get your hands on a banks SOE and look at whats disabled...
You wouldn't want someone taking a registry hive away and reverse engineering it, so make the passwords long and complex, just incase they do, make it take them a lifetime....

Hope that helps.

Ahmed Abdel SalamPh.D. CandidateCommented:
1- add them to a group
2- in domain default group policy go to
computer configuration
windows settings
security settings
local policies
deny log on localy , add this group
deny log on throough terminal service, add this group

also you can set it from acount settings
log in to add any computer name which is not exict

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Another trick I like is to assign a login script to all of my service accounts that runs qlogoff.exe from  Doesn't affect the service account's ability to do its job, but if anyone tries to log on with it interactively, qlogoff.exe will immediately log them off again.
llaravaAuthor Commented:
I like your solution, I think that can fit in my environment but the tool (qlogoff.exe) won't be approve because it's not a industry standard. Any idea about a microsoft support tool or similar commandile that can be a a substitution for this qlogoff.exe and it's suported by microsoft or other vendor?

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.