.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Storing Bitlocker keys in Samba Active Directory
  :keywords: Security, Samba-AD, documentation

.. _samba_deny_service_account_open_windows_session:

#########################################
Deny service account open Windows session
#########################################

******
Target
******

The service accounts used by your third-party tools to query the LDAP or connect to your shares, for example, 
the accounts for your copiers or scanners, very often have unchanged passwords.

It is therefore important to give them minimal access rights and to prevent them from opening Interactive 
sessions on your domain.

*************
Configuration
*************

* Create an Organizational Unit "Services_accounts" and create service account of the user type.

.. attention::
    
    If you have already set service account in your applications, you must to reconfigured it with the new DN base.
    
* Create a new group "services_group" and add all service user accounts in this.

* Create a Computer Configuration GPO "disable_logon_service_account" and apply at all the domain.

.. code-block:: bash

    Computer Configuration -> Policies -> Windows Parameters -> Security Parameters -> Locals policies -> Assigning user rights
    
    Prohibit login by remote desktop services
    Check "Define these policy settings".
    Add the "services_group" group