Solved

How to restrict service account login to just the computers contained in 1 OU without specifying all the computers it can login to (in the properties of the service account)?

Posted on 2008-10-20
7
907 Views
Last Modified: 2009-12-16
I would like a new service account we have to ONLY be able to login to computers contained in a specific OU.  This OU has many computer accounts contained in sub OU's so I do not want to list each computer in the service accounts' properties (under the "Log On To..." button).  
Is this possible via GPO? or some other solution?
0
Comment
Question by:TaraC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22759845
yeah create a OU, link it to the OU with the setting "Log on locally"  for service accounts only
0
 

Author Comment

by:TaraC
ID: 22759868
Sorry... I know to do that, but how do I stop that service account from logging in anywhere else in the domain?  this one service accounts' login permission should be restricted to just this OU structure.
Thank you,
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22759959
1.you can better do it by defining the " Deny logon locally" on a group policy and link it in the domain level.
2. Block the inheritance on the OU which you want to allow this service account to login.
3.Create a GP on this OU, define "allow logon locally" and enforce it
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:TaraC
ID: 22760324
Thank you, I was thinking the same but was hoping for a better solution besides Blocking Inheritance.  There are lots of things we apply at the domain level and I'd rather just keep inheritance applied.
0
 

Author Comment

by:TaraC
ID: 22762270
Any other solutions to this problem?  
Thanks,
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 250 total points
ID: 22762419
Ok...

1.Create the policy you want to apply and define the settings "deny log on locally" for service account.
2. Go to the properties for the policy (right click on the policy name and select properties) and select the Security tab.
3.Remove the Apply Group Policy right for Authenticated Users.
4 Next click Add and select the service account
5.Give it Read and Apply Group Policy permissions.
6. Now link it on the domain level and do not enfore
7.Create a new policy with "allow log on locally" on your desire OU and no need to block inheritance here
8.Now enforce this policy

****************Please test this in your test lab before applying it in production server**************
Also ref this posts

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22071448.html
http://www.experts-exchange.com/OS/Miscellaneous/Q_20830383.html
0
 

Author Comment

by:TaraC
ID: 22770945
This is a good solution ... BUT  (always a but).... doing it this way, I would now need to define all possible users that would login to the computers in that desired OU.  I'm checking now to see if an existing list of users is defined anyway
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Determining the an SCCM package name from the Package ID
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question