Link to home
Start Free TrialLog in
Avatar of shankshank
shankshank

asked on

Active directory, deny AD rights

I have a windows 2003 AD domain. we created an account and given it domain admin rights. we disabled log on locally and log on interactively through termimal services. basically this dummy account just needs access to run as a service and connect to file shares of different servers. bigger question is how can i lock it down from AD related things, such as MMC of DNS, DHCP, group policy etc?

ASKER CERTIFIED SOLUTION
Avatar of merowinger
merowinger
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of shankshank
shankshank

ASKER

yeah the user needs more rights than just logon as service...
Security-wise, this isn't such a good idea.  Generally, for a service account, you want to create an account and only give it the rights necessary to do the job (not give it domain admin rights then strip extra rights away).  Deny rights are a sure sign of this...
well the account was connecting to multiple servers. and not just for logging on as a service, but to access performance filters and map drives etc. so  what to do then?
What functions does it need to perform on the other servers?