Avatar of jimmylew52
jimmylew52
Flag for United States of America asked on

Windows user to start and stop services that cannot log into servers.

I need to change permission on a user ID. I need the account to be able to start services and run Scheduled tasks but not be able to log into server or workstations.

Currently the UID in question is a member of the administrators group and is being used used as a universal login name by the development team. I have tried everything except disabling the UID to stop this practice. The UID has been used for many years and is used for many services and scheduled tasks.

Any ideas on how to prevent the login of this UID without bringing down many services and scheduled tasks?
OS SecurityWindows NetworkingNetwork Security

Avatar of undefined
Last Comment
jimmylew52

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Tony Giangreco

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
jimmylew52

ASKER
each user user has their own access as needed. What I need to do is restrict the login capabilities of the UID they have been using for years, barron is the problem UID.

Barron is is use for services and scheduled tasks on over 200 servers and I am the entire IT department. I have not had time in over a year to check every server to be sure I will not cause problems by disabling this user. If they have problems logging in with barron that is to bad, they have their own login.
Tony Giangreco

I'm in the same situation for multiple smaller clients 20 to 50 users. I suggest following my instructions above and wait to see who complains.  

In the past, I've found many users stop using functions as time goes by. You may find only a few employees even need it. this closes up the access to your servers and makes them more secure.

Hope this helps!
SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
jimmylew52

ASKER
I see that in explaining the network I have muddled the question.

200 servers - workstations are not an issue.

I have not been able to to assign privileges to barron that will allow it to start services and scheduled tasks without making the user a domain admin and domain admins have logon rights to the servers. Other Domain admins need to be able to log in to the servers but barron does not.

I think the domain policy should be able to accomplish this but I do not find where to do it.
Your help has saved me hundreds of hours of internet surfing.
fblack61
McKnife

Please describe what my suggestion is lacking.
jimmylew52

ASKER
If I had time, test servers and access to the offending users desktop it would work fine.

I'v had a suggestion i am testing now. I group policies there is "Deny lof on through Remot Desktop Services".

I have added barron to that group policy and so far no problems.
McKnife

My Suggestion is by far better as it gives them only what they need and not Access to any account. You can quickly see what it does by using for example
sc servername start servicename
from a command line that has ben started as privileged user.
It will start the Service "Servicename" on the remote Computer "servername".
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
jimmylew52

ASKER
Here is what is working, simple and effective.

On the Domain Controller

gpedit.msc  >  Computer Configuration  >  Windows Settings  >  Security Settings  >  Local Policies  >  User Rights Assignment

Double click  >  Deny logon through Remote Desktop Services Properties

Add barron to the policy

This will not prevent local logon but all of the users are using remote desktop through a VPN so this has taken care of the problem.
jimmylew52

ASKER
Thanks for the input. I was about to give up and your input kept me trying to find the answer.