Disable Logon Locally and Interactively for A User (Not By GPO)

hi !

i going define , use accounts in 2008 domain used sql proxy accounts (running xp_cmdshell)

to briefly, these accounts should not able login locally or remotely domain computers

they should have log on batch job , service permission on sql servers (which have)

i not want define gpo (or change default domain policy) , add 1 or 2 users (disabling logon locally)

is there property user or less dangerous little side effects prevent these users log on locally or interactively ?

hi,

as per understanding, there 2 ways restrict users logon locally.

1. either can set policy “deny log on locally” denies user ability log on @ computer’s console using ctrl+alt+del or welcome screen or starting secondary logon session. has precedence on “log on locally” right.

2. way restrict user’s restrict machines user can log on interactively. ad administrators can restrict domain machines domain user can log on interactively using ad “log on to…” user account property. can assess property account tab of user’s account properties

note: in 2nd option, instead of "all computers", can set machine name belongs only.

rdp access restriction : default, remote desktop access granted administrators hence ensure particular user account is not member of "administrator" , "remote desktop users" group.

restricting interactive user logons
http://www.windowsitpro.com/article/permissions/restricting-interactive-user-logons-

 

---

best regards,

abhijit waikar.
mcsa 2003 | mcsa:messaging | mcts | mcitp:server administrator | microsoft community contributor | my blog

disclaimer: posting provided "as is" no warranties or guarantees , , confers no rights.

Windows Server  >  Directory Services