Active Directory - Prevent Interactive logon for service accounts
Ryan F1 min read
Overview
Deny logon locally is a Group Policy Object (GPO) setting that should be used for all service accounts because it shuts down one avenue of exploitation—an interactive logon (e.g., a logon using Ctrl+Alt+Del) to a system with that account.
Create Policy
Create a group that holds users that are going to be denied from local login. (eg, d-logonlocally-deny)
In the GPO Snapin create new policy
Navigate Path: Computer > Policies > Windows Settings > Security Settings > Local Policy > User Rights Assignment
Add the group to the settings : Deny Log on Locally and Deny Log on through RDS
Testing Procedure
On the server test by logging in as a service account.
0
Subscribe to my newsletter
Read articles from Ryan F directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by