<div>
Tell me, why did you choose a domain admin for running a service? Surely, local admins cannot be used when it comes to networking, but we can use the &quot;real&quot; service accounts, why would it have to have domain admin rights?<br />
Security-wise, this is a no-go and limiting that account is the wrong approach.<br />
<br />
<a href="https://technet.microsoft.com/en-us/library/dd548356%28v=ws.10%29.aspx?" rel="ugc">https://technet.microsoft.com/en-us/library/dd548356%28v=ws.10%29.aspx?</a>
</div>


Tell me, why did you choose a domain admin for running a service? Surely, local admins cannot be used when it comes to networking, but we can use the "real" service accounts, why would it have to have domain admin rights?
Security-wise, this is a no-go and limiting that account is the wrong approach.

https://technet.microsoft.com/en-us/library/dd548356%28v=ws.10%29.aspx? [https://technet.microsoft.com/en-us/library/dd548356%28v=ws.10%29.aspx?]

<div>
<div class="content wysiwyg-content">
We need to adjust these to adjust our service accounts and would like them to be restricted to a particular server and restrict their logon or access. &nbsp;Any suggestions on how to manage this through Active Directory at an enterprise level? We want to lock down the accounts to specific servers but we can't use local admins for these particular group of accounts.<br />
<br />
For the time being I was thinking about using AD to &quot;logon on to&quot; and enter the server names to limit the access but I was didn't know if there was any better approach to the solution. Any suggestion or any other ways to configure? Caveats?
</div>
</div>


We need to adjust these to adjust our service accounts and would like them to be restricted to a particular server and restrict their logon or access.  Any suggestions on how to manage this through Active Directory at an enterprise level? We want to lock down the accounts to specific servers but we can't use local admins for these particular group of accounts.

For the time being I was thinking about using AD to "logon on to" and enter the server names to limit the access but I was didn't know if there was any better approach to the solution. Any suggestion or any other ways to configure? Caveats?

Domain administrator service accounts limit access to a particular server/s

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.