TaraC
asked on
How to restrict service account login to just the computers contained in 1 OU without specifying all the computers it can login to (in the properties of the service account)?
I would like a new service account we have to ONLY be able to login to computers contained in a specific OU. This OU has many computer accounts contained in sub OU's so I do not want to list each computer in the service accounts' properties (under the "Log On To..." button).
Is this possible via GPO? or some other solution?
Is this possible via GPO? or some other solution?
yeah create a OU, link it to the OU with the setting "Log on locally" for service accounts only
ASKER
Sorry... I know to do that, but how do I stop that service account from logging in anywhere else in the domain? this one service accounts' login permission should be restricted to just this OU structure.
Thank you,
Thank you,
1.you can better do it by defining the " Deny logon locally" on a group policy and link it in the domain level.
2. Block the inheritance on the OU which you want to allow this service account to login.
3.Create a GP on this OU, define "allow logon locally" and enforce it
2. Block the inheritance on the OU which you want to allow this service account to login.
3.Create a GP on this OU, define "allow logon locally" and enforce it
ASKER
Thank you, I was thinking the same but was hoping for a better solution besides Blocking Inheritance. There are lots of things we apply at the domain level and I'd rather just keep inheritance applied.
ASKER
Any other solutions to this problem?
Thanks,
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is a good solution ... BUT (always a but).... doing it this way, I would now need to define all possible users that would login to the computers in that desired OU. I'm checking now to see if an existing list of users is defined anyway