Re: User account for scheduled tasks only?
- From: Jason <not@xxxxxxxx>
- Date: Tue, 1 Jul 2008 23:32:32 +0000 (UTC)
Thanks, Dave. I followed your advice and then some. First I created the new account without an e-mail address, put it in Administrators, then gave it a really complex password that does not require changing. I then denied logon locally in the domain controller policy and also, on the user account properties, I checked "Deny this user permissions to log on to any Terminal Server" so it could not RDP either. Then, since I did not want it to be able to log on to workstations, I created a new computer settings GPO under MyBusiness\Computers\SBSComputers and added that user to the "Deny log on locally" policy in the Local Policies\User Rights Assignment area of the Computer Configuration GPO.
Finally, since I wanted to backup files on certain workstations using this account, I manually added this special account to the local Administrators group on just those PCs.
I then tested my scripts and confirmed it was able to backup all the files on the server and workstations that I tested. This feels much better and wiser than using the default Administrator account for custom scheduled tasks.
Hello Dave Nickason [SBS MVP],
"Deny log on locally" trumps "Allow log on locally." So what you
would do is to create the account, making it a member of the
Administrators security group. Then, go to Administrative Tools ->
Domain Controller Security Policy. The setting is under Local
Policies -> User Rights Assignment - just dbl-click Deny log on
locally and add the new account, run gpupdate /force, then test to
make sure you get the intended results.
Another idea would be to just give the new account a really good
password that you store somewhere on your client PC. That way, even
someone with the username would be unlikely to be able to log in. I'm
thinking something like y`+dN5^.\\b&LW0.:n4q>n}M'0jwf8yqaS3^F18T9, and
you'd copy and paste it when you created a new task.
By the way, whenever you make changes to a built-in policy such as the
Domain Controllers Security Policy, I recommend documenting your
actions in writing. This will help for "undo" purposes if you end up
with an unpleasant surprise.
"Jason" <not@xxxxxxxx> wrote in message
news:d1a3f41b1ae888caa97077f5607e@xxxxxxxxxxxxxxxxxxxxx
I want to create an account on our SBS server for only running
scheduled
tasks like backups to
various external drives. I do not want this account to be able to
login to
the server, but I do want
it to have complete access to all file shares, as well as those on
the
local PCs (C$, etc) so by
default it would need to have Administrator access, at least on local
PCs,
correct?
Does anyone have a standard way of handling such accounts so they
have
these powers but
can't actually log in to the server? I looked at "Domain Power Users"
and
"Backup Operators"
but neither of these appear to be configured by default to do what I
want
them to.
I'm trying to avoid running these tasks as the Administrator because
I
plan to change the
Administrator's PW frequently and that's a huge hassle when you have
several important scheduled
tasks.
.
- Follow-Ups:
- Re: User account for scheduled tasks only?
- From: Dave Nickason [SBS MVP]
- Re: User account for scheduled tasks only?
- References:
- Re: User account for scheduled tasks only?
- From: Dave Nickason [SBS MVP]
- Re: User account for scheduled tasks only?
- Prev by Date: Re: Need help finding tools to diagnose SBS/Exchange prob...
- Next by Date: Re: User account for scheduled tasks only?
- Previous by thread: Re: User account for scheduled tasks only?
- Next by thread: Re: User account for scheduled tasks only?
- Index(es):
Relevant Pages
|
