Given the complexities you mention, your best option is probably to set a
group policy that allows that account to log on only to the Exchange
Server/DC (ouch). There are group policy user rights assignment settings
such as "Allow log on locally", "Deny log on locally", "Log on as a
service", "Deny log on through terminal services", etc. You'd want to deny
the account the ability to log on to the other machines in the domain, but
allow it to log on to the DC (which you will have to explicitly do, anyway,
because DCs do not, by default, allow non-administrative logins locally).
HTH,
Laura
> -----Original Message-----
> From: Paul Aviles [mailto:paviles (at) adjoined (dot) com [email concealed]]
> Sent: Tuesday, October 05, 2004 1:10 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Restricting account to a computer only
>
> We want to restrict a service account only to login to one
> computer for security reasons.
>
> This is for an exchange 2000 server and obviously we don't
> want anyone to use the account/password to read people's
> emails since the account must be a member of the Domain
> Exchange Admin (yeah/neah?). I found an option under Account
> / Login To, but it says at the top "This feature requires the
> NetBIOS protocol. In Computer Name, type the pre-Windows 2000
> computer name". We obviously don't use NetBios, is there any
> other way to do this?
> To make things even better... The Exchange server is also a
> DC...... I didn't do it...
>
> The same concern I have if we create an account and put them
> in the Backup Operators group. What can restrict that account
> to login only on servera for example and not in all other
> workstations n the domain?
>
> Thanks so much for your help.
>
> Paul
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
group policy that allows that account to log on only to the Exchange
Server/DC (ouch). There are group policy user rights assignment settings
such as "Allow log on locally", "Deny log on locally", "Log on as a
service", "Deny log on through terminal services", etc. You'd want to deny
the account the ability to log on to the other machines in the domain, but
allow it to log on to the DC (which you will have to explicitly do, anyway,
because DCs do not, by default, allow non-administrative logins locally).
HTH,
Laura
> -----Original Message-----
> From: Paul Aviles [mailto:paviles (at) adjoined (dot) com [email concealed]]
> Sent: Tuesday, October 05, 2004 1:10 PM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: Restricting account to a computer only
>
> We want to restrict a service account only to login to one
> computer for security reasons.
>
> This is for an exchange 2000 server and obviously we don't
> want anyone to use the account/password to read people's
> emails since the account must be a member of the Domain
> Exchange Admin (yeah/neah?). I found an option under Account
> / Login To, but it says at the top "This feature requires the
> NetBIOS protocol. In Computer Name, type the pre-Windows 2000
> computer name". We obviously don't use NetBios, is there any
> other way to do this?
> To make things even better... The Exchange server is also a
> DC...... I didn't do it...
>
> The same concern I have if we create an account and put them
> in the Backup Operators group. What can restrict that account
> to login only on servera for example and not in all other
> workstations n the domain?
>
> Thanks so much for your help.
>
> Paul
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]