We have a company doing development for us in-house and they have access to several service accounts. The company rotates people in and out, and instead of requesting accounts the developers are using service accounts to log on to the servers.
What is the best way to lock out the ability to use that account without affecting the purpose of a service account?
Can we safely check the "Deny this user permissions to log on to any Terminal Server" tickbox in AD under Terminal Services Profile?
If we created a domain policy to prevent logging in for that OU would that be a better way to go?
You can create settings in your local group policy (gpedit.msc) to achieve this. Look under Computer Config | Windows Settings | Security Settings | Local Policies | User Rights Assignment. The specific ones you want are Deny logon as a batch job, Deny logon locally and Deny logon through Terminal Services.
You can also tune some of the other settings here, such as Access this computer from the network, to harden it further.
It goes without saying, but make these changes one at a time, and test your service works correctly after each one before proceeding to the next.
Actually there is a much simpler way. Using active directory you can actually specify the machines that a user is able to log on to. If you don't want a specific user to be able to log onto any machine, simply allow them to log onto a machine that does not exist in your network.
IE: if your computers are DT001, DT002, DT003 simply allow the user to log onto only DT000.