The Deny Logon Locally right, in conjunction with Allow Log On As A Service should take care of things, I would think.
Both are set from the Security Group Policy settings (local or AD). In addition, you can set the service account to only allow any kind of logon to the necessary machine(s) from the accounts properties in AD. http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnd_urs_wyxu.asp details the different logon rights. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/service_logon_accounts.asp is pretty much self explanatory based on the title, and should be a good starting point for further research. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
