Windows user to start and stop services that cannot log into servers.

jimmylew52
jimmylew52 used Ask the Experts™
on
I need to change permission on a user ID. I need the account to be able to start services and run Scheduled tasks but not be able to log into server or workstations.

Currently the UID in question is a member of the administrators group and is being used used as a universal login name by the development team. I have tried everything except disabling the UID to stop this practice. The UID has been used for many years and is used for many services and scheduled tasks.

Any ideas on how to prevent the login of this UID without bringing down many services and scheduled tasks?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would evaluate everything they perform that needs some type of administrative access. then create a new user and build the must have security into it.  Then disable the old user id. Send them the new one to use.

If you get calls that they can't do something, if you think they need it, then add it. If not, you have closed up some loop holes.

Author

Commented:
each user user has their own access as needed. What I need to do is restrict the login capabilities of the UID they have been using for years, barron is the problem UID.

Barron is is use for services and scheduled tasks on over 200 servers and I am the entire IT department. I have not had time in over a year to check every server to be sure I will not cause problems by disabling this user. If they have problems logging in with barron that is to bad, they have their own login.
I'm in the same situation for multiple smaller clients 20 to 50 users. I suggest following my instructions above and wait to see who complains.  

In the past, I've found many users stop using functions as time goes by. You may find only a few employees even need it. this closes up the access to your servers and makes them more secure.

Hope this helps!
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Distinguished Expert 2018
Commented:
Setup scheduled tasks at the users workstation that run as server admin against the remote system. Adjust the ACL of the tasks, so that they can be started but not changed by users and that's all.

Author

Commented:
I see that in explaining the network I have muddled the question.

200 servers - workstations are not an issue.

I have not been able to to assign privileges to barron that will allow it to start services and scheduled tasks without making the user a domain admin and domain admins have logon rights to the servers. Other Domain admins need to be able to log in to the servers but barron does not.

I think the domain policy should be able to accomplish this but I do not find where to do it.
Distinguished Expert 2018

Commented:
Please describe what my suggestion is lacking.

Author

Commented:
If I had time, test servers and access to the offending users desktop it would work fine.

I'v had a suggestion i am testing now. I group policies there is "Deny lof on through Remot Desktop Services".

I have added barron to that group policy and so far no problems.
Distinguished Expert 2018

Commented:
My Suggestion is by far better as it gives them only what they need and not Access to any account. You can quickly see what it does by using for example
sc servername start servicename
from a command line that has ben started as privileged user.
It will start the Service "Servicename" on the remote Computer "servername".

Author

Commented:
Here is what is working, simple and effective.

On the Domain Controller

gpedit.msc  >  Computer Configuration  >  Windows Settings  >  Security Settings  >  Local Policies  >  User Rights Assignment

Double click  >  Deny logon through Remote Desktop Services Properties

Add barron to the policy

This will not prevent local logon but all of the users are using remote desktop through a VPN so this has taken care of the problem.

Author

Commented:
Thanks for the input. I was about to give up and your input kept me trying to find the answer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial