Domain admin account as service account
-
Unfortunately, I had to use a domain admin account as a service account to get it to work properly. I would like to lock down this account as much as possible. I would like to block the account from logging into all but 4 servers if possible.
-
You want to lock down a domain admin account? What caused you to need to use a domain admin account?
-
If the servers aren't DCs, can you just make local admin accounts to replace the domain admin account?
-
@ajstringham said:
If the servers aren't DCs, can you just make local admin accounts to replace the domain admin account?
I wish I could
-
@StrongBad said:
You want to lock down a domain admin account? What caused you to need to use a domain admin account?
The application wont work otherwise. I have tried setting the minimum permissions required for months. I just cant get it to work right
-
@IRJ said:
@ajstringham said:
If the servers aren't DCs, can you just make local admin accounts to replace the domain admin account?
I wish I could
What technical issue is blocking you?
-
All I need are responses on how to lock down an account. Not how to get it to work without it being a DA account. Frankly it just wont work right otherwise. I have been trying to get it to work for months
-
@IRJ said:
@StrongBad said:
You want to lock down a domain admin account? What caused you to need to use a domain admin account?
The application wont work otherwise. I have tried setting the minimum permissions required for months. I just cant get it to work right
Can you provide any insight into the application or why the account isn't working?
-
@IRJ said:
All I need are responses on how to lock down an account. Not how to get it to work without it being a DA account. Frankly it just wont work right otherwise. I have been trying to get it to work for months
Just think about what you're asking. You want to lock down an account that, by its very design, is supposed to have master control. I don't know of any way to restrict a domain login to specific domain PCs. It's kind of counter-intuitive.
-
I'm doing research but I'm seeing the inverse of what you want. I'm finding results for how to restrict a PC to only one user, but not one user to only one PC.
-
Does this help?
We do something similar to this in our remote offices. First, create a group for the psuedo-admins in the domain. In AD, delegate control to the OU's they may need to manage (create/delete accounts, or maybe just reset passwords, or nothing at all).
Then use Group Policy to add your group to the local administrators group on the workstations and servers using Computer\Windows Settings\Security Settings\Restricted Groups. Do not deploy this policy to the Domain Controllers OU or the OUs containing your servers.
This obviously depends on having a AD configured in a manner to separate the client systems from the servers.
This is not my answer but is taken from ServerFault.
-
@ajstringham said:
@IRJ said:
All I need are responses on how to lock down an account. Not how to get it to work without it being a DA account. Frankly it just wont work right otherwise. I have been trying to get it to work for months
Just think about what you're asking. You want to lock down an account that, by its very design, is supposed to have master control. I don't know of any way to restrict a domain login to specific domain PCs. It's kind of counter-intuitive.
I believe there is a way to restrict the account to just services if I remember correctly
-
I am going to put a pause on this question for the moment. I am going to force the vendor to give me specific access rights and I am not going to accept the domain admin account as the answer
-
@ajstringham said:
I don't know of any way to restrict a domain login to specific domain PCs. It's kind of counter-intuitive.
Um.. Login Restrictions. It can actually be very useful!
-
@thecreativeone91 said:
@ajstringham said:
I don't know of any way to restrict a domain login to specific domain PCs. It's kind of counter-intuitive.
Um.. Login Restrictions. It can actually be very useful!
Ah, good to know! My bad!
-
@thecreativeone91 said:
@ajstringham said:
I don't know of any way to restrict a domain login to specific domain PCs. It's kind of counter-intuitive.
Um.. Login Restrictions. It can actually be very useful!
That would be great if I could restrict the user from connecting to AD. In theory the user could just download the RSAT tools on one of the boxes they can log on to and remove their own restrictions.
-
For those same reasons you can't lock down a Domain Admin account.
Solving the problem so you can use a non domain admin account is the only way to really lock it down.
