service accounts interactive login

Can I ask a quick question about service accounts - are they typically local accounts on a server? i.e. if I check local groups will the service account be listed as a normal account? Or are they different?

Secondly it is best practice to deny service accounts permissions to interactively logon to systems, but how can you check if such a control is in operation? What evidence would there be to see if SA's can interactively login or cant?
LVL 3
pma111Asked:
Who is Participating?
 
NumbidConnect With a Mentor Commented:
Do you mean built-in service accounts (system, network service) ? Or a manually created account ?

You can use local accounts or domain accounts depending if domain resources are needed.

If on AD :

- Open gmpc.msc, and create a GPO linked to a computer OU
- Modify GPO under Computer Configuration/ Windows Settings/Security Settings/Local Policies/User Rights Assignment
- Add your service account to 'Deny log on locally' and 'Deny log on through Terminal Services'
- Test

If standalone, modify local policies using gpedit.msc.
0
 
pma111Author Commented:
Service accounts for apps such as MSSQL Server and other key server apps..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.