Re: Server Logins

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/24/04

  • Next message: Yannick Béot: "Re: Recovery from a crash" 
    Date: Tue, 23 Nov 2004 23:23:33 -0700

    I need to differ a little from Mike's advise, or expand/clarify
    it. In a member (server or workstation) it is common to see
    Domain Users as a member of the Users group on the
    machine. So, following what Mike outlined in insufficient.
    You must also remove Domain Users from the machine
    local Users group. Now, be careful. If there are any
    domain accounts that must be allowed, for example, for
    use as service accounts make sure that these get added
    when Domain Users is removed.
    Now, we are still not there. It is also common to see
    Authenticated Users in the machine local Users group.
    Here is what happens. A Domain User member tries
    to log in. The first step is authenticating their login try.
    If this works, they are then an Authenticated User,
    which means they are a machine local Users member,
    which means they have local login rights. So, one must
    remove Authenticated Users from the machine local
    Users group in order to take control over which domain
    account can and cannot log in locally if Users group is
    granted the right to log in locally. 

    -- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"AjjuAjju" <ajjuajju@gmail.com> wrote in message 
news:a5def859.0411230720.488c3c77@posting.google.com...
> I've asked this before but didn't get an answer that works.  For some
> reason, uses in our domain can login to Servers from the console (I've
> tested this with a test account - users can't actually get physical
> access to the servers.) As a security measure, I don't want a domain
> user to be able to login, if they somehow got access.
>
> How do I do this?  I tried using a GP but I thought that domain users
> by default cannot login to W2k server.
>
> Thanks.
  • Next message: Yannick Béot: "Re: Recovery from a crash"

    Relevant Pages

    • Re: Least amount of privileges
      ... It depends on what the domain users group has for permissions. ... Does this third party program have a service account that runs the app for ... moving this app off of your sql server and put it on a seperate server. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Programs dont open
      ... The user was created as a mobile user and is a Member Of ... Domain Users ... This user is configured as a remote user on the server. ... By this I mean that as an administratot of a local pc the administrator is ...
      (microsoft.public.windows.server.sbs)
    • Re: Access rights issue with Sharepoint - newbie question
      ... as the WSS server isn't running activedirectory. ... That I took the domain users out of the domain admins group on the WSS ... one that would be making all the site-changes to the SharePoint app as ... Administrators Group) - I believe it may be because the users are not ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: Windows Server 2003 Auto connect printers;
      ... For example, you could make Domain Users a member of the Remote Desktop Users group, this would allow all users of the domain to logon. ... What rights would be required then for a normal basic user to login to a TS without having NT Authentication. ...
      (microsoft.public.win2000.termserv.apps)
    • Re: Access rights issue with Sharepoint - newbie question
      ... as the WSS server isn't running activedirectory. ... That I took the domain users out of the domain admins group on the WSS ... one that would be making all the site-changes to the SharePoint app as ... Administrators Group) - I believe it may be because the users are not ...
      (microsoft.public.sharepoint.windowsservices)