Deny service account open Windows session
Target
The service accounts used by your third-party tools to query the LDAP or connect to your shares, for example, the accounts for your copiers or scanners, very often have unchanged passwords.
It is therefore important to give them minimal access rights and to prevent them from opening Interactive sessions on your domain.
Configuration
Create an Organizational Unit “Services_accounts” and create service account of the user type.
Attention
If you have already set service account in your applications, you must to reconfigured it with the new DN base.
Create a new group “services_group” and add all service user accounts in this.
Create a Computer Configuration GPO “disable_logon_service_account” and apply at all the domain.
Computer Configuration -> Policies -> Windows Parameters -> Security Parameters -> Locals policies -> Assigning user rights
Prohibit login by remote desktop services
Check "Define these policy settings".
Add the "services_group" group