Windows user to start and stop services that cannot log into servers.
I need to change permission on a user ID. I need the account to be able to start services and run Scheduled tasks but not be able to log into server or workstations.
Currently the UID in question is a member of the administrators group and is being used used as a universal login name by the development team. I have tried everything except disabling the UID to stop this practice. The UID has been used for many years and is used for many services and scheduled tasks.
Any ideas on how to prevent the login of this UID without bringing down many services and scheduled tasks?
Currently the UID in question is a member of the administrators group and is being used used as a universal login name by the development team. I have tried everything except disabling the UID to stop this practice. The UID has been used for many years and is used for many services and scheduled tasks.
Any ideas on how to prevent the login of this UID without bringing down many services and scheduled tasks?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm in the same situation for multiple smaller clients 20 to 50 users. I suggest following my instructions above and wait to see who complains.
In the past, I've found many users stop using functions as time goes by. You may find only a few employees even need it. this closes up the access to your servers and makes them more secure.
Hope this helps!
In the past, I've found many users stop using functions as time goes by. You may find only a few employees even need it. this closes up the access to your servers and makes them more secure.
Hope this helps!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I see that in explaining the network I have muddled the question.
200 servers - workstations are not an issue.
I have not been able to to assign privileges to barron that will allow it to start services and scheduled tasks without making the user a domain admin and domain admins have logon rights to the servers. Other Domain admins need to be able to log in to the servers but barron does not.
I think the domain policy should be able to accomplish this but I do not find where to do it.
200 servers - workstations are not an issue.
I have not been able to to assign privileges to barron that will allow it to start services and scheduled tasks without making the user a domain admin and domain admins have logon rights to the servers. Other Domain admins need to be able to log in to the servers but barron does not.
I think the domain policy should be able to accomplish this but I do not find where to do it.
Please describe what my suggestion is lacking.
ASKER
If I had time, test servers and access to the offending users desktop it would work fine.
I'v had a suggestion i am testing now. I group policies there is "Deny lof on through Remot Desktop Services".
I have added barron to that group policy and so far no problems.
I'v had a suggestion i am testing now. I group policies there is "Deny lof on through Remot Desktop Services".
I have added barron to that group policy and so far no problems.
My Suggestion is by far better as it gives them only what they need and not Access to any account. You can quickly see what it does by using for example
sc servername start servicename
from a command line that has ben started as privileged user.
It will start the Service "Servicename" on the remote Computer "servername".
sc servername start servicename
from a command line that has ben started as privileged user.
It will start the Service "Servicename" on the remote Computer "servername".
ASKER
Here is what is working, simple and effective.
On the Domain Controller
gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Double click > Deny logon through Remote Desktop Services Properties
Add barron to the policy
This will not prevent local logon but all of the users are using remote desktop through a VPN so this has taken care of the problem.
On the Domain Controller
gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Double click > Deny logon through Remote Desktop Services Properties
Add barron to the policy
This will not prevent local logon but all of the users are using remote desktop through a VPN so this has taken care of the problem.
ASKER
Thanks for the input. I was about to give up and your input kept me trying to find the answer.
ASKER
Barron is is use for services and scheduled tasks on over 200 servers and I am the entire IT department. I have not had time in over a year to check every server to be sure I will not cause problems by disabling this user. If they have problems logging in with barron that is to bad, they have their own login.