Possible Duplicate:
Prevent service accounts from logging in locally or remotely
I've got a few accounts being used to run various services eg SQL.Service
, TFS.Application
, etc... and want to mark those accounts as not supporting interactive login in AD
Presumably I should put them in a specific security group (I've created one called MyOrg.Services
) but I don't know how to flag users in that group as being services not "real" users
I think a Managed Service Account would meet your requirements.
The process is relatively simple. Create your user as you would a normal user. Open the "Local Security Policy" editor (under administrative tools) and drill down to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> user Rights Assignment, and you'll find "Deny log on locally".
From there, open it up & add the user(s) in question.
You may also want to add them to the "Log on as Service" policy as well for the sake of completeness.
There's several spiffy other options you may want to play with in there as well.