Score:2

If I set a policy to deny log on locally for a particular AD user, will it affect existing logged on sessions belonging to that user in any way?

bz flag

Background

Historically in my organisation we have used a particular shared domain admin account (let's call it SharedDA) for almost everything. It is currently logged on to several dozen servers. Bad juju.

Saner minds are now prevailing and we are planning to completely remove access to this SharedDA account, with the ultimate aim of deleting it, however we have a certain number of our technical staff who, for whatever reason (presumably laziness/muscle memory) insist upon continuing to log on to Windows servers using the account.

Some of these active sessions are hosting running processes in the GUI that will need to be stopped and restarted under new credentials. We obviously plan to do this in a managed fashion, however as quickly as we are getting rid of SharedDA sessions on devices around our estate, they are also being created. This effort is additionally hampered by there being very little capacity for even the minimal downtime involved in the remediation process.

What I would like to do is set a policy which denies log on locally to the SharedDA account, with the aim of stopping this "one step forward, two steps back" time sink we find ourselves in, however I am worried that doing this may affect currently logged on sessions and I would simply like some reassurance from someone who has done this before or who knows for sure as to whether or not this will happen.

I could of course do some testing with another account, and in the absence of a definitive answer I will indeed do that and come back here with my results.

I also know that I can fairly easily find out who is creating these sessions by getting the client name they are connecting from, and we have actually done this and spoken to the people concerned but they are still doing it. Plus a number of our suppliers have the credentials, having been given them in the past, and are in the habit of using them also (did I say bad juju already?). Trying to stem the flow has been a fruitless task, hence this plan.

Question

If I set a policy to deny log on locally for a particular AD user, will it affect existing logged on sessions belonging to that user in any way?

djdomi avatar
za flag
first, it must a top to down command initated. that means that the boss of you has to do first hos job. However, first create the users, and a separate admin account, remember that it is required to enable a gpo that logs any action
blackworx avatar
bz flag
Sorry @djdomi I'm not asking how to organise the project - that's been dealt with already. Nor am I looking for advice on how to do it differently. My question is simply about the effect of applying "deny log on locally" policy to the existing account when it has active logged on sessions.
vidarlo avatar
ar flag
@blackworx I edited your question to make it hopefully a bit clearer what you ask. If you disagree with my edit, feel free to roll it back :)
djdomi avatar
za flag
well you can restrict the access by editing the account and choose wherever it is allowed to login and also ut is possible to restrict tge login time.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.