Link to home
Start Free TrialLog in
Avatar of jimmylew52
jimmylew52Flag for United States of America

asked on

Windows user to start and stop services that cannot log into servers.

I need to change permission on a user ID. I need the account to be able to start services and run Scheduled tasks but not be able to log into server or workstations.

Currently the UID in question is a member of the administrators group and is being used used as a universal login name by the development team. I have tried everything except disabling the UID to stop this practice. The UID has been used for many years and is used for many services and scheduled tasks.

Any ideas on how to prevent the login of this UID without bringing down many services and scheduled tasks?
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jimmylew52


each user user has their own access as needed. What I need to do is restrict the login capabilities of the UID they have been using for years, barron is the problem UID.

Barron is is use for services and scheduled tasks on over 200 servers and I am the entire IT department. I have not had time in over a year to check every server to be sure I will not cause problems by disabling this user. If they have problems logging in with barron that is to bad, they have their own login.
I'm in the same situation for multiple smaller clients 20 to 50 users. I suggest following my instructions above and wait to see who complains.  

In the past, I've found many users stop using functions as time goes by. You may find only a few employees even need it. this closes up the access to your servers and makes them more secure.

Hope this helps!
Avatar of McKnife
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I see that in explaining the network I have muddled the question.

200 servers - workstations are not an issue.

I have not been able to to assign privileges to barron that will allow it to start services and scheduled tasks without making the user a domain admin and domain admins have logon rights to the servers. Other Domain admins need to be able to log in to the servers but barron does not.

I think the domain policy should be able to accomplish this but I do not find where to do it.
Please describe what my suggestion is lacking.
If I had time, test servers and access to the offending users desktop it would work fine.

I'v had a suggestion i am testing now. I group policies there is "Deny lof on through Remot Desktop Services".

I have added barron to that group policy and so far no problems.
My Suggestion is by far better as it gives them only what they need and not Access to any account. You can quickly see what it does by using for example
sc servername start servicename
from a command line that has ben started as privileged user.
It will start the Service "Servicename" on the remote Computer "servername".
Here is what is working, simple and effective.

On the Domain Controller

gpedit.msc  >  Computer Configuration  >  Windows Settings  >  Security Settings  >  Local Policies  >  User Rights Assignment

Double click  >  Deny logon through Remote Desktop Services Properties

Add barron to the policy

This will not prevent local logon but all of the users are using remote desktop through a VPN so this has taken care of the problem.
Thanks for the input. I was about to give up and your input kept me trying to find the answer.