Restrict interactive logon on AD service accounts.

Hello,

We are trying to restrict our service accounts in AD to do interactive logon process by pressing the CTRL-ALT-DEL key sequence.

What is the best way to do it?  We have all service accounts in an OU in AD.  Is it possible to use group policy to restrict that?  

Or should I do that in the machine level?

Please advise.

Thanks.
nav2567Asked:
Who is Participating?
 
Shimshey RosenbergSysAdminCommented:
Is the goal to deny them from being logged on at all?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Haven't done this - but a good idea and I might now.  My first reaction is to try to create a Service Accounts group and then to create a group policy that restricts (explicitly denies) the right to interactive login
0
 
nav2567Author Commented:
Yes.  

I have group all my service accounts into a service account global security group.  

should I just edit the domain policy and add the group into the "deny log on locally" and "deny log on through terminal services" under computer configuration>policies>windows settings>security settings>local policies>user rights assignment?
deny-interactive-login-gpo.png
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Shimshey RosenbergSysAdminCommented:
Yes, this is most likely your best option.
0
 
Naveen SharmaCommented:
In the GPO MMC snap-in, you can assign logon rights from the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments container.

Get in more detailed:

Restricting Interactive User Logons
http://www.itprotoday.com/security/restricting-interactive-user-logons

Deny interactive logon for Service Accounts
http://www.alexheer.co.uk/it-blog/deny-interactive-logon-for-service-accounts

The security of Service Accounts in Active Directory is important and there are some simple things you can do to ensure it: https://www.lepide.com/blog/nine-tips-for-preventing-misuse-of-service-accounts-in-active-directory/
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.