Can I prohibit the service account of FSx for Windows Server from interactive logon?


I am now starting to use FSx for Windows Server, and I will create a domain user onto the self managed Active Directory of my company, in order to use as the service account for FSx I understand that this domain user as the service account will be used by FSx like as a system account, so I would like to prohibit this domain user from interactive logon. Is it possible?

asked 9 months ago234 views
2 Answers
Accepted Answer

Hello, Kimiharu Moriya. Yes, it is possible to prohibit a domain user from interactive logon in a Windows environment, including when you're using FSx for Windows Server and have a self-managed Active Directory. To achieve this, you can set the "Deny logon locally" user rights assignment for the specific domain user. This will prevent the user from logging in interactively on any machine in the domain.

Here's how you can do it:

Open Group Policy Management: On a Windows Server machine that has administrative privileges, open the "Group Policy Management" console.

Create a New Group Policy Object (GPO): Create a new GPO or select an existing GPO where you want to apply this policy.

Edit the GPO: Right-click on the GPO and select "Edit." Navigate to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "User Rights Assignment."

Configure "Deny logon locally": In the right pane, locate the "Deny logon locally" policy. Double-click on "Deny logon locally" to edit it. Click "Add User or Group" and specify the domain user account that you want to prohibit from interactive logon. Click "OK" to add the user to the list. Close the Policy Editor: After adding the user, close the Group Policy Editor.

Link the GPO: In the Group Policy Management console, link the GPO to the appropriate Organizational Unit (OU) where the FSx for Windows Server is located or where you want to apply this policy. Force Group Policy Update:

You can either wait for the Group Policy to update automatically (typically within 90 minutes) or you can force an immediate update on the target machine by running the following command in Command Prompt: gpupdate /force.

Best regards, Andrii

profile picture
answered 9 months ago

Andrii S san Thank you for your clear answer and detail explanation to set the Group Policy! They are very very helpful for me and my company.

answered 9 months ago
  • Thanks for the question and have a nice day)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions