Re: Services account issue
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Mon, 05 Feb 2007 10:50:41 -0500
You really shouldn't give a service domain admin rights. It is almost certainly far more rights than it actually needs. Look into delegation.
Outside of that, you cannot completely block an ID from being used in any way but to start a service, there are multiple ways IDs can be used outside of interactive auth such as NET USE /USER and through RUNAS or some other tools that allow using alternate creds.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
BT wrote:
Thanks.
How about if it is a domain user account with domain admin right? I've to do it in domain secuirty policy or domain controller security policy?
Please advice.
BT
"Jerold Schulman" <Jerry@xxxxxxxxxx> wrote in message news:er9es21mlukv1oh8p5gg49ena0unihj7up@xxxxxxxxxxOn Mon, 5 Feb 2007 19:04:20 +0800, "BT" <barrytsiu@xxxxxxxxxxx> wrote:
Hi allYes. Simply grant the account Logon as a Service and Deny logon locally using
Is it possible to create a services account so that it will use to startup
the services only, but cannot logon to workstation?
Please advice.
Thanks
BT
Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
- References:
- Services account issue
- From: BT
- Re: Services account issue
- From: Jerold Schulman
- Re: Services account issue
- From: BT
- Services account issue
- Prev by Date: Re: User password expire
- Next by Date: Re: Active Director rights
- Previous by thread: Re: Services account issue
- Next by thread: Re: Active Director rights
- Index(es):
Relevant Pages
|
