Can I prohibit the service account of FSx for Windows Server from interactive logon?

Hello, Kimiharu Moriya. Yes, it is possible to prohibit a domain user from interactive logon in a Windows environment, including when you're using FSx for Windows Server and have a self-managed Active Directory. To achieve this, you can set the "Deny logon locally" user rights assignment for the specific domain user. This will prevent the user from logging in interactively on any machine in the domain.

Here's how you can do it:

Open Group Policy Management: On a Windows Server machine that has administrative privileges, open the "Group Policy Management" console.

Create a New Group Policy Object (GPO): Create a new GPO or select an existing GPO where you want to apply this policy.

Edit the GPO: Right-click on the GPO and select "Edit." Navigate to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "User Rights Assignment."

Configure "Deny logon locally": In the right pane, locate the "Deny logon locally" policy. Double-click on "Deny logon locally" to edit it. Click "Add User or Group" and specify the domain user account that you want to prohibit from interactive logon. Click "OK" to add the user to the list. Close the Policy Editor: After adding the user, close the Group Policy Editor.

Link the GPO: In the Group Policy Management console, link the GPO to the appropriate Organizational Unit (OU) where the FSx for Windows Server is located or where you want to apply this policy. Force Group Policy Update:

You can either wait for the Group Policy to update automatically (typically within 90 minutes) or you can force an immediate update on the target machine by running the following command in Command Prompt: gpupdate /force.

Best regards, Andrii