0

We use TeamCity as CI server. In our build pipeline we need at some stage to run a powershell script, which applies a checkpoint to certain virtual machine hosted on dedicated Hyper-V server.

TeamCity agents work as special user, lets call that account TCAgent. Its password is shared among many people. To allow this user to execute the powershell script on Hyper-V server I need to allow that user to login to the server, which is highly insecure.

So, I need the user TCAgent to be able to execute certain script on the server, but no more. How can I accomplish that?

Improve this question

1 Answer 1

Reset to default
1

In either the local group policy(gpedit.msc), or an actual group policy you can set these settings.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Users Right Assignment > Deny Log on Locally

Deny log on locally

This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.

Important

If you apply this security policy to the Everyone group, no one will be able to log on locally.

Default: None.

Computer Configuration > Windows Settings > Security Settings > Local Policies > Users Right Assignment > Log on as a Batch Job

Log on as a batch job

This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows.

For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.


Default: Administrators
Backup Operators.

these 2 settings should accomplish what you want to do.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .