A: Logon rights let you prevent users
from logging on with accounts that
you’ve created expressly for a service.
There are five logon rights, each of which
governs whether an account can log on
a certain way. You can find these logon
rights in the Microsoft Management
Console (MMC) Group Policy Object Editor
snap-in under Computer Configuration Windows Settings\Security Settings Local Policies\User Right Assignments.
Windows requires you to have the Access
this computer from the network logon
right to access anything provided by your
server or Microsoft IIS. You need the Log
on locally right to log on interactively at
the console of a computer and the Allow
log on through Terminal Services, logon
right to log on via an RDP connection.
These are the only logon rights a user can
directly use. The other two rights, Log on
as a batch job and Log on as a service let
scheduled tasks and services run under a
specified account.
The key to preventing users from
logging on with an account that you’ve
created for a service is to make sure
such accounts don’t have any logon
rights other than the Log on as a service
right. I recommend creating a group
called Service Accounts, then assigning
that group the deny version of
each logon right. Because deny rights
override allow rights, no member of
Service Accounts will be able to log on
except as a service. The only problem
with using this method is that a service
that needs to access other Windows
computers on the network under the
service’s domain account identity
won’t be able to. For example, a service
on server A that needs to pull files from
a shared folder on server B requires the
Access this computer from the network
logon right on server B to do so.
—Randy Franklin Smith
End of Article
Register
