Deny service account open Windows session
Target
The service accounts used by your third-party tools to query the LDAP or connect to your shares, for example, the accounts for your copiers or scanners, very often have unchanged passwords.
It is therefore important to give them minimal access rights and to prevent them from opening Interactive sessions on your domain.
Configuration
Create an Organizational Unit “Services_accounts” and create service account of the user type.
Attention
If you have already set service account in your applications, you must to reconfigured it with the new DN base.
Create a new group “services_group” and add all service user accounts in this.
Create a Computer Configuration GPO “SEC_disable_logon_service_account” and apply at all the domain.
Computer Configuration -> Policies -> Windows Parameters -> Security Parameters -> Locals policies -> Assigning user rights
Double click on “Prohibit login by remote desktop services”
Check “Define these policy settings”.
Add the “services_group” group like “MYDOMAINgrp_service”
Close the Windows
Double click on “Local Policies to Deny log on locally”
Check “Define these policy settings”.
Add the “services_group” group like “MYDOMAINgrp_service”
Close the Windows
Check after restarting a computer if the GPO working correctly