Restrict both local machine accounts and domain accounts from login

T

Tekmazter

Pretty straight forward question here and I can't seem to remember how to do
this or the knowledge base article on it...

Anyway... I would like to do the following:

(!) DISallow all accounts both local and domain except for Enterprise
Admins, Domain Admins, and local administrators at a particular machine from
logging into my servers locally --meaning while sitting in front of the
machine
 
T

Tekmazter

Okay, I should say that I found out how to restrict logon accounts
immediately after posting this, so I will go into a new question that this
has created....

I restricted logon interactively via the local machine (servers in this
case) policy. I do not have in place any group policy settings which would
effectively override these settings. Okay, for the new question...

I do have service accounts that are also part of the Users group for which I
have disabled interactive logons. Some of them are listed explicitly when
using the local machine policy as having this right, however others
(sqldebugger) for example are not listed, but are members of the users
group.

Q. Will this have any effect on the service account if it attempts to run
against the machine when called upon and not having the logon interactively
permission? Of course I can always add that account explicitly too, but
before I go and dbl-up on permissions, I thought I'd ask first.
 
S

Steven L Umbach

I believe that they will not have a problem as long as they have the user
right to logon as a service. Of course your best bet is to test out the
configuration and for services configured to start manually logon as a local
administrator and see if you can start the service. You could also configure
auditing on your server for audit privilege use for failure and then look in
the security log for failure events to see if there are problems with the
service. --- Steve
 
T

Tekmazter

Good advice Steve,

It looks like everything is working out correctly here. I appreciate
it --thanks!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Installing from the ground up, local and domain accounts 4
PC is on domain but I can't add users from domain to local Admin g 1
Unable to login to child domain using GlobalAdmins (Enterprise Adm 2
Adding local admin from a second server, to the domain admin on ou 1
XP Local/domain/admin security (NTFS) issues/madness 1
Login screen won't switch between local machine and domain... 1
Network access issue in Home Network 2
Possible to switch between domain login session and local login session on XP machine? 1

Top