Question

Locked

Server 2003 AD User account that can't be used as a log in.

By michael.carr ·
All right heres what's needed:

A User account that can't be used to log into a computer BUT can be used to join to the domain, access shard files and use servers with administrator access.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Interesting

by The Scummy One In reply to Server 2003 AD User accou ...

I am unsure if there is a way to do exactly what you want, but here is an idea for a workaround.

Create the user, assign permissions or stick in the proper global group. Create a logon script for this user to force a logoff.

Collapse -

even if you break in, it's still logging on.

by CG IT In reply to Server 2003 AD User accou ...

if you can't log on, how are you going to join the computer to the domain, access shared files on the computer and use servers?

even if you remote you still must authenticate and todays basic security is two factor authentication.

Collapse -

Yes, but a logon script to logoff

by The Scummy One In reply to even if you break in, it' ...

should do the trick, no?
If the account has permissions then joining the domain should be no problem, I do it all the time using my credentials without being logged in.

Collapse -

but your authenticating

by CG IT In reply to Yes, but a logon script t ...

so there is a logon event. for a logon script to run, which logs off the user, a user account must "login" so there is a logon event.

you can stealth the event and even have a user account that is a ghost to the system, but that's just circumventing logging and appearance. The account is still there, it has a SID, etc, it just does not show on the normal GUI and logging.

Granted one has to be pretty good programmer to do this but for the cyber hacker, it's done all the time.

Collapse -

Restrict access

by p.j.hutchison In reply to but your authenticating

It is possible but in a clever way:
1. Open properties of user in AD Users and Computers.
2. Click on the Account page.
3. Select 'Log On To' and enter a computer that you know does not exist.
4. You could also, use the Access Hours to restrict when it can be used.

Now, its impossible to logon to a server or workstation with this account but still can use it for authentication etc :)

Collapse -

I took it differently

by The Scummy One In reply to but your authenticating

I took the logon to mean logon to a system. Logging in to the network is a different story. When logging in to a system, scripts run, etc. When logging in to the network while logged on the system under a different account, scripts dont run, just permissions are checked.
Thus allowing no system logons, but allowing permissions to do things.

At least that is my take.

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums