none
Disable Logon Locally and Interactively for A User (Not By GPO)

    Question

  • Hi !

    I am going to define and use some accounts in a 2008 domain which are used for some sql proxy accounts (running xp_cmdshell)

    to say briefly, these accounts should not be able to login locally or remotely to domain computers

    they should have log on as a batch job and as a service permission on SQL servers (which they have)

    i do not want to define a GPO just for this (or change default domain policy) and add this 1 or 2 users to that (disabling logon locally)

    is there any property for a user or a less dangerous with little side effects to prevent these users to log on locally or interactively ?

    Saturday, July 14, 2012 5:04 AM

Answers

  • Hi,

    As per my understanding, there are only two ways to restrict users logon locally.

    1. Either you can set policy “Deny log on locally” which denies a user the ability to log on at the computer’s console using Ctrl+Alt+Del or the Welcome screen or by starting a secondary logon session. It has precedence over the “Log on locally” right.

    2. Another way to restrict a user’s is to restrict the machines to which a user can log on interactively. AD administrators can restrict to which domain machines a domain user can log on interactively by using the AD “Log On To…” user account property. You can assess this property from the Account tab of the user’s account properties

    Note: In the 2nd option, instead of "All Computers", you can set the machine name which belongs to you only.

    RDP access restriction : By default, remote desktop access is only granted to Administrators hence ensure the particular user account is not a member of "Administrator" and "Remote Desktop Users" group.

    Restricting Interactive User Logons
    http://www.windowsitpro.com/article/permissions/restricting-interactive-user-logons-

     


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, July 14, 2012 6:16 AM

All replies

  • Hi,

    As per my understanding, there are only two ways to restrict users logon locally.

    1. Either you can set policy “Deny log on locally” which denies a user the ability to log on at the computer’s console using Ctrl+Alt+Del or the Welcome screen or by starting a secondary logon session. It has precedence over the “Log on locally” right.

    2. Another way to restrict a user’s is to restrict the machines to which a user can log on interactively. AD administrators can restrict to which domain machines a domain user can log on interactively by using the AD “Log On To…” user account property. You can assess this property from the Account tab of the user’s account properties

    Note: In the 2nd option, instead of "All Computers", you can set the machine name which belongs to you only.

    RDP access restriction : By default, remote desktop access is only granted to Administrators hence ensure the particular user account is not a member of "Administrator" and "Remote Desktop Users" group.

    Restricting Interactive User Logons
    http://www.windowsitpro.com/article/permissions/restricting-interactive-user-logons-

     


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, July 14, 2012 6:16 AM
  • Thanks so much

    i was thinking of the second way

    does that restrict user from log on interactively and locally ? (both of them ?)

    Saturday, July 14, 2012 6:28 AM
  • Do you have windows 2008 R2, if yes, you can use Manage server account(MSA). Else, down level OS doesn't have any such functionality & service account is same as normal domain user account.

    http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx

    Alternative is you have to either use some custom script or you need to deny logon locally as well as terminal services option using GPO applied on the OU containing machine where this account should not be used. The other option is open ADUC, right click that user/groups, properties, account , Logon to option & enter some virtual system name. By default, normal domain users can't RDP to any machine in the domain & using this option log on as specific system, you are good to go.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Saturday, July 14, 2012 6:35 AM
    Moderator
  • Since you need to deny login to all domain computers you need to define the GPO to achive the same if nos of computer are more in network.You can create a group and add required users to group and apply the policy on OU or domain as per requirement.
    This right is located under: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Logon locally

    You can also use LogOnTo option as Abhijit suggest to achieve the same.

    Deny and allow workstation login:
    http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, July 14, 2012 6:39 AM
  • Thanks so much

    i was thinking of the second way

    does that restrict user from log on interactively and locally ? (both of them ?)


    Second option will allow the user to logon interactively only on specific machine (Whether its present on network or not) which is defined in "Log On" tab.

    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, July 14, 2012 6:46 AM
  • thanks to all

    By the way

    what is interactive log on in fact ?

    i know what is local log on ! ok but what about interactive log on in depth ?

    this user should be able to be used to run sql cmd shell scripts (sql uses this account as a proxy account to run a script)

    so i should be sure that this setting (limit user logon to a fake system) does not corrupt this sql thing

    Saturday, July 14, 2012 7:12 AM
  • thanks to all

    By the way

    what is interactive log on in fact ?

    i know what is local log on ! ok but what about interactive log on in depth ?

    this user should be able to be used to run sql cmd shell scripts (sql uses this account as a proxy account to run a script)

    so i should be sure that this setting (limit user logon to a fake system) does not corrupt this sql thing

    Interactive logon can be local or remotely. Its just a term to define way it exchanges credentials and identity to allow access to the system.Take a look at below link.

    What is Interactive Logon?

    http://technet.microsoft.com/en-us/library/cc780095%28v=ws.10%29


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Saturday, July 14, 2012 7:17 AM
    Moderator
  • thanks to all

    By the way

    what is interactive log on in fact ?

    i know what is local log on ! ok but what about interactive log on in depth ?

    this user should be able to be used to run sql cmd shell scripts (sql uses this account as a proxy account to run a script)

    so i should be sure that this setting (limit user logon to a fake system) does not corrupt this sql thing

    Interactive logon can be local or remotely. Its just a term to define way it exchanges credentials and identity to allow access to the system.Take a look at below link.

    What is Interactive Logon?

    http://technet.microsoft.com/en-us/library/cc780095%28v=ws.10%29


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Thanks

    So what do you think ? does limiting log on to a fake pc prevent those SQL servers to use that account and run shell using them ?

    is running a sql sp (script) some kind of interactive logon ?

    Saturday, July 14, 2012 7:31 AM
  • You are going to configure one of the domain account to run as a service & yes, its going to be interactive logon where information such as ticket will be exchange for authentication the service with the AD. Logon locally/remotely is used for login to the system interface & they are too type of the interactive logon.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Saturday, July 14, 2012 7:41 AM
    Moderator
  • So what do you think ? does limiting log on to a fake pc prevent those SQL servers to use that account and run shell using them ?

    is running a sql sp (script) some kind of interactive logon ?


    Hi,

    1. Yes, that user will be able to logon only on mentioned machine (FAKE or whatever)  not on SQL server.

    2. No, That is not a kind of interactive logon ( interactive logon to a computer can be performed either locally, when the user has direct physical access, or remotely, through Terminal Services)


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Saturday, July 14, 2012 7:51 AM
  • ok

    so maybe the best thing to do now is to limit his logon to a fake pc. in this way he can use that sql service but will not be able to log on to any computer.

    another question,

    we have exchange 2010 and maybe we decide to assign an email address for this service account (to gather logs and ..)

    in the condition mentioned above, will the user be able to use outlook web app or microsoft outlook ? or it is some kind of log on to exchange server and so he won't be able to do that !?

    Saturday, July 14, 2012 7:52 AM
  • Hi,

    1. Yes, that is option for you.

    2. As I know, there should not be any problem to use outlook web app (not sure about outlook as it requires machine to set up) and assign mail ID to that user and to gather logs.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, July 14, 2012 8:01 AM
  • In addition have a look at how interactive logons Works.

    How Interactive Logon Works
    http://technet.microsoft.com/en-us/library/cc780332(v=ws.10).aspx

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, July 14, 2012 8:12 AM