Deny RDP and logon locally for admin account

Question

Hi,

We have a service account that needs to be added to the local administrators group on machines due to an application.
Is there a policy I can set so that the account is not able to RDP to the machine ?
The user should only be a service user and not a user that can sign in.

Thanks for reply

Andreas

Answer 1

Use a Managed Service Account.

managed-service-accounts-understanding-implementing

Bing Search MSA

If that is not an option, then grant your account "logon as service", and then fix the security permissions on files/folders that the service accesses so that you don't need to grant the account full administrator rights.

Answer 2

Hi,

Is there a policy I can set so that the account is not able to RDP to the machine ?

You may try to assign the account with group policy: Deny log on through Remote Desktop Services

1. Start | Run | Gpedit.msc if editing the local policy or chose the appropriate policy and edit it.
2. Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.
3. Find and double click "Deny logon through Remote Desktop Services"
4. Add the user and / or the group that you would like to dny access.
5. Click ok.
6. Run gpupdate /force /target:computer for this setting to take effect.

-----Please can click “Accept as answer” if any of above reply is helpful-------

Thanks,
Jenny