Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Create JIMS Collector Service Accounts

Create the following service accounts with limited privileges in Active Directory to ensure these service accounts have permission only to execute their tasks.

  • JIMS-EventSource; Used to get Microsoft event logs.

  • JIMS-DirectoryService: Used to get username, devices, and groups from the directory service.

  • JIMS-PCProbe: Used to probe a Microsoft Windows computer in your Active Directory domain.

You will need to add the service accounts on JIMS Collector. Perform the following procedures to configure each service account.

Configuring Limited Permission User Accounts

For each new user account:

  1. From the Start menu, select Active Directory Users and Computers.
  2. Navigate to the forest’s Users container.
  3. Right-click Users and select New Users.
  4. Specify a descriptive first and middle name and any username or pre-Windows 2000 username.
  5. Specify a password according to your organization’s password policy.
  6. Clear the User must change password at next login check box.
  7. Select the User cannot change password check box.
  8. Select the Password never expires check box.

Configuring Properties for Limited Permission User Accounts

To set properties for each new user account:

  1. Right-click a user and then select Properties.
  2. Select the Remote Control tab.
  3. Clear the Enable Remote Control check box.
  4. Select Remote Desktop Services Profile.
  5. Select the Deny this user’s permissions to log onto remote desktop session host server check box.
  6. Select the Dial-in tab and select the Deny Access check box.

Adding Limited Permission User Accounts to Active Directory Groups

To add each new user account to an Active Directory group:

  1. Select Built-in under the forest.
  2. Select the Event Log Readers group and add the JIMS-EventLogRemoteAccess account.
  3. Select the Distributed COM Users group and add the JIMS-PC-Probe account.
  4. Select the Remote Management Users group and add the JIMS-PC-Probe account.
  5. Select the Domain Admins group and add the JIMS-PC-Probe account.

Defining Group Policies for Limited Permission User Accounts

To define group policies for each new user account:

  1. From the Start menu, select Group Policy Management.
  2. In the Group Policy Manager, select the forest, select Default Domain Policy, and right-click Edit.
  3. Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  4. Select Deny Logon locally, select Define these policy settings, and add each new user account.
  5. Select Deny Logon through Remote Desktop Services, select Define these policy settings, and add each new user account.
  6. Select Deny Logon through Terminal Services, select Define these policy settings, and add each new user account.
  7. Select Deny logon as a batch job, select Define these policy settings, and add each new user account.
  8. Select Deny Logon as a service, select Define these policy settings, and add each new user account.