Solved

How to restrict service account login to just the computers contained in 1 OU without specifying all the computers it can login to (in the properties of the service account)?

Posted on 2008-10-20
7
901 Views
Last Modified: 2009-12-16
I would like a new service account we have to ONLY be able to login to computers contained in a specific OU.  This OU has many computer accounts contained in sub OU's so I do not want to list each computer in the service accounts' properties (under the "Log On To..." button).  
Is this possible via GPO? or some other solution?
0
Comment
Question by:TaraC
  • 4
  • 3
7 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
Comment Utility
yeah create a OU, link it to the OU with the setting "Log on locally"  for service accounts only
0
 

Author Comment

by:TaraC
Comment Utility
Sorry... I know to do that, but how do I stop that service account from logging in anywhere else in the domain?  this one service accounts' login permission should be restricted to just this OU structure.
Thank you,
0
 
LVL 18

Expert Comment

by:sk_raja_raja
Comment Utility
1.you can better do it by defining the " Deny logon locally" on a group policy and link it in the domain level.
2. Block the inheritance on the OU which you want to allow this service account to login.
3.Create a GP on this OU, define "allow logon locally" and enforce it
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 

Author Comment

by:TaraC
Comment Utility
Thank you, I was thinking the same but was hoping for a better solution besides Blocking Inheritance.  There are lots of things we apply at the domain level and I'd rather just keep inheritance applied.
0
 

Author Comment

by:TaraC
Comment Utility
Any other solutions to this problem?  
Thanks,
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 250 total points
Comment Utility
Ok...

1.Create the policy you want to apply and define the settings "deny log on locally" for service account.
2. Go to the properties for the policy (right click on the policy name and select properties) and select the Security tab.
3.Remove the Apply Group Policy right for Authenticated Users.
4 Next click Add and select the service account
5.Give it Read and Apply Group Policy permissions.
6. Now link it on the domain level and do not enfore
7.Create a new policy with "allow log on locally" on your desire OU and no need to block inheritance here
8.Now enforce this policy

****************Please test this in your test lab before applying it in production server**************
Also ref this posts

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22071448.html
http://www.experts-exchange.com/OS/Miscellaneous/Q_20830383.html
0
 

Author Comment

by:TaraC
Comment Utility
This is a good solution ... BUT  (always a but).... doing it this way, I would now need to define all possible users that would login to the computers in that desired OU.  I'm checking now to see if an existing list of users is defined anyway
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now