Jump to content

Windows Equivalent to /sbin/nologin

Guest William.Voyek@gmail.com

By Guest William.Voyek@gmail.com
in Windows 2003 Server

 Share

Recommended Posts

Guest William.Voyek@gmail.com

Guest William.Voyek@gmail.com

Posted
Posted

Hello,

 

I have created AD accounts for some services running on multiple

servers. I would like to secure those accounts by making it so that

the service account could not be used to login to a system locally

(i.e. at the console). In RedHat I can accomplish this by giving the

account the /sbin/nologin shell as their default shell. How do I

accomplish the same in Windows.

 

Thank you,

 

Bill

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Pegasus \(MVP\)

Guest Pegasus \(MVP\)

Posted
Posted

Re: Windows Equivalent to /sbin/nologin

 

 

<William.Voyek@gmail.com> wrote in message

news:59b51db5-7b30-48e2-9f31-e489b550f2e4@z6g2000pre.googlegroups.com...

> Hello,

>

> I have created AD accounts for some services running on multiple

> servers. I would like to secure those accounts by making it so that

> the service account could not be used to login to a system locally

> (i.e. at the console). In RedHat I can accomplish this by giving the

> account the /sbin/nologin shell as their default shell. How do I

> accomplish the same in Windows.

>

> Thank you,

>

> Bill

 

Try this path: secpol.msc / Local Policies / User Rights Assignment / Deny

logon locally. Now specify the accounts that you want to prevent from

logging on locally, then test them. Warning: In the past some posters in

this newsgroup entered the Administrator account, with entirely predictable

but rather disastrous results . . .

Guest bill

Guest bill

Posted
Posted

Re: Windows Equivalent to /sbin/nologin

 

On Sep 4, 1:30 pm, "Pegasus \(MVP\)" <I....@fly.com.oz> wrote:

> <William.Vo...@gmail.com> wrote in message

>

> news:59b51db5-7b30-48e2-9f31-e489b550f2e4@z6g2000pre.googlegroups.com...

>

> > Hello,

>

> > I have created AD accounts for some services running on multiple

> > servers. I would like to secure those accounts by making it so that

> > the service account could not be used to login to a system locally

> > (i.e. at the console). In RedHat I can accomplish this by giving the

> > account the /sbin/nologin shell as their default shell. How do I

> > accomplish the same in Windows.

>

> > Thank you,

>

> > Bill

>

> Try this path: secpol.msc / Local Policies / User Rights Assignment / Deny

> logon locally. Now specify the accounts that you want to prevent from

> logging on locally, then test them. Warning: In the past some posters in

> this newsgroup entered the Administrator account, with entirely predictable

> but rather disastrous results . . .

 

First thanks for your help. I'd like to apply this Domain wide so that

the setting applies to all workstations and servers. Using Microsoft’s

Group Policy Management app how would I accomplish this? Here’s what I

think I should do (correct me if I have missed anything or done

something wrong):

1. Using Active Directory Users and Computers, in the root level of

the AD domain, create a "Security Group – Domain Local" that contains

all of the service user accounts

2. Using Group Policy Management, Create and Link a New GPO at the

root level of the domain

3. Edit it @ GPO -> Computer Configuration -> Windows Settings ->

Security Settings -> Local Policies -> User Rights Assignment -> Deny

logon locally, add the AD Service Account Group

4. Set the new GPO to Enforced

Guest Pegasus \(MVP\)

Guest Pegasus \(MVP\)

Posted
Posted

Re: Windows Equivalent to /sbin/nologin

 

 

"bill" <William.Voyek@gmail.com> wrote in message

news:06779c75-beb9-4a6a-93b4-869ea9983f49@k13g2000hse.googlegroups.com...

On Sep 4, 1:30 pm, "Pegasus \(MVP\)" <I....@fly.com.oz> wrote:

> <William.Vo...@gmail.com> wrote in message

>

> news:59b51db5-7b30-48e2-9f31-e489b550f2e4@z6g2000pre.googlegroups.com...

>

> > Hello,

>

> > I have created AD accounts for some services running on multiple

> > servers. I would like to secure those accounts by making it so that

> > the service account could not be used to login to a system locally

> > (i.e. at the console). In RedHat I can accomplish this by giving the

> > account the /sbin/nologin shell as their default shell. How do I

> > accomplish the same in Windows.

>

> > Thank you,

>

> > Bill

>

> Try this path: secpol.msc / Local Policies / User Rights Assignment / Deny

> logon locally. Now specify the accounts that you want to prevent from

> logging on locally, then test them. Warning: In the past some posters in

> this newsgroup entered the Administrator account, with entirely

> predictable

> but rather disastrous results . . .

 

First thanks for your help. I'd like to apply this Domain wide so that

the setting applies to all workstations and servers. Using Microsoft’s

Group Policy Management app how would I accomplish this? Here’s what I

think I should do (correct me if I have missed anything or done

something wrong):

1. Using Active Directory Users and Computers, in the root level of

the AD domain, create a "Security Group – Domain Local" that contains

all of the service user accounts

2. Using Group Policy Management, Create and Link a New GPO at the

root level of the domain

3. Edit it @ GPO -> Computer Configuration -> Windows Settings ->

Security Settings -> Local Policies -> User Rights Assignment -> Deny

logon locally, add the AD Service Account Group

4. Set the new GPO to Enforced

 

================

 

Sorry, I'm away from my servers for a couple of weeks and am therefore not

in a position to confirm your steps with any degree of authority. I suggest

you try them for yourself.

 Share
Go to topic listing
×
×
  • Create New...