We have 2 domain administrator accounts in Active Directory: "Administrator" and "Robocopy".
Robocopy is a service account associated with a scheduled task which executes a batch file- which runs Robocopy (on our SBS 2003 file server/domain controller).
The reason this account was made a member of the "domain administrator" group a couple of years ago when it was created was because I was unable to assign a non-domain administrator account in Scheduled Tasks to run a batch file on the server.
I would now like to restrict the "Robocopy" account as much as possible- including denying it network access so that it cannot be used to log on to anything other than the server.
At the very least, I am looking to remove the "Robocopy" account from the "domain administrators" group.
What is the best-practice method for achieving this?
Update:
Could any of these default security groups be used be used to achieve what I want?
Best Answer
The security policy in the Default Domain Controllers Group Policy Object (GPO) doesn't permit unprivileged users to logon interactively or as batch jobs (which is how Scheduled Tasks run) on Domain Controller (DC) computers. Your first problem in making this account unprivileged (which is a good idea) is going to be modifying the security policy.
Your
cmd.exe
permissions may need to be changed, too, because non-Administrator users are restricted from executing scripts non-interactively in Windows 2003.Once you've taken care of that you'll also need to sort out making sure that the user account running
robocopy
actually has rights to read and write to the source and destination locations. Since the account has been privileged in the past you haven't really had to worry about that.