We have a few critical service accounts at my company. Occasionally someone attempts to login to one of these who should not. (Not nefarious, just trying to get a job done the wrong way.)
After a few failed attempts to login the account gets locked out. And ... bad things ... happen.
Is there a way in Active Directory to setup a User such that it will totally ignore a login attempt unless it comes from a white list of server names?
Note: By "totally ignore", I mean it can't login and can't be locked out by failed attempts.
the only thing I can think of us to make a GPO that sets the 'log on as a service' right to Deny for that user.
A couple different ways to do it from here on out, depending on how your OUs are configured.
Either Apply that Deny GPO to all the desired hosts that are the computers that are not approved. There might be an 'exclude' option you can use here to exclude the hosts you DO want the account to successfully run as a service. If that's not an option, you could apply that Deny GPO to all hosts, then have the approved hosts in a sub-OU and apply an Allow 'log on as a service' to those approved hosts. Because the approve is closer to the hosts, it will override the Deny.