Open for Voting

Allow service account to be denied interactive logon

The service account for ARM is recommended to be Local / Domain Admin.  This gives a lot of permissions to an account.  One thing I like to do with privileged service accounts is to disable local logon and terminal logon.  This provides a good control in case the password is learned by unauthorized users.  Unfortunately, ARM will not work properly when interactive login is disabled.  Allowing this feature would greatly help us secure our service accounts.

the GPO settings can be found at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment:

Deny log on locally

Deny log on through Terminal Services


Mike Streufert