When you create a user account for a Windows service to run as, usually default setting is applied to that account. That is, the account can be used for interactive login.
After I came across two articles here and here, I worked out my own way for doing this on Windows Server 2008 SP2.
- On the domain controller, create a Global Security group named Domain Service Accounts (optionally with description All domain service accounts)
- Add the service accounts that you want to deny interactive login to the new created group Domain Service Accounts
- Run Group Policy Management, on the left navigation pane, expand Group Policy Management > Forest > Domains and right click on the domain name you would like to apply the deny login and select Create a GPO in this domain, and Link it here… from the menu
- Give the new GPO a name called Domain Service Accounts and click OK
- On the left navigation pane, under the domain name, expand Group Policy Objects, click on the GPO Domain Service Accounts and set the GPO Status to User configuration settings disabled as user configuration settings will not be used
- On the left navigation pane, click on the domain name, and on the right pane, in the Linked Group Policy Objects tab, reorder the GPO Domain Service Accounts to have link order smaller than the Default Domain Policy, then right click on the GPO Domain Service Accounts and select Edit from the menu
- On the new popped up Group Policy Management Editor, on the left navigation pane, expand Domain Service Accounts > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment, add the group Domain Service Accounts in the two policy Deny log on locally and Deny log on through Terminal Services
Because the printer was replaced, I need to reconfigured all PC to remove the old printer and add the new printer. It is strange to find that out of 4 PC, 2 of them doesn’t work.
On Windows 7 PC:
- Unable to delete the printer
- Unable to change the default printer
After searching on the Internet and checking the difference between the working PC and not working PC, it looks like the 2 PC which has problem was inflected with malware before. The permission on the printer related registry was incorrectly set.
- Run registry editor regedit
- Go to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- In the menu, select Edit > Permissions
- Click Advanced and make sure all permissions are inherited from CURRENT_USER
Sometimes ago I needed to change NTP setting on a Windows Server which is running active directory (AD) service. Not sure why the usual way to set the NTP on Windows 7 or non-AD servers via GUI is not an option. It simply doesn’t have a GUI for you! Anyway after some Google here is the command I used. Assume the NTP server is 192.168.0.150.
w32tm /config /update /manualpeerlist:192.168.0.150,0x9 /syncfromflags:MANUAL /reliable:YES
Then force resync from the NTP source so that the source can be displayed correctly in the next command.
Finally double check if the NTP source is configured correctly
w32tm /query /source
The 0x9 flag is important as I can’t make it work without that. I still not sure what the flag does but according to the article Windows Time Service Tools and Settings this mark the server as Always time server and Automatic reliable time server.