Prevent service accounts from logging in locally or remotely

We have a company doing development for us in-house and they have access to several service accounts. The company rotates people in and out, and instead of requesting accounts the developers are using service accounts to log on to the servers.

What is the best way to lock out the ability to use that account without affecting the purpose of a service account?

Can we safely check the "Deny this user permissions to log on to any Terminal Server" tickbox in AD under Terminal Services Profile?

If we created a domain policy to prevent logging in for that OU would that be a better way to go?


Solution 1:

You can create settings in your local group policy (gpedit.msc) to achieve this. Look under Computer Config | Windows Settings | Security Settings | Local Policies | User Rights Assignment. The specific ones you want are Deny logon as a batch job, Deny logon locally and Deny logon through Terminal Services.

You can also tune some of the other settings here, such as Access this computer from the network, to harden it further.

It goes without saying, but make these changes one at a time, and test your service works correctly after each one before proceeding to the next.