Re: Domain Users

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 04/16/03

Next message: Roger Abell [MVP]: "Re: Troubleshooting XP bugchecks"
Previous message: Weichert: "Deactivate Icons and programs that load for User with LIMITED USER ACCESS"
In reply to: John: "Domain Users"
Next in thread: John: "Re: Domain Users"
Reply: John: "Re: Domain Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Tue, 15 Apr 2003 21:31:48 -0700

Other than business ethics, technically yes, this has
everything to do with the two member entries in the
Users group that you mentioned.
Until these are removed from Users, the local security
policy to Allow Local Logon has no effect in limiting
which domain user accounts may log in locally. When
you remove these two from Users, if you do, make very
sure you have granted local login to the account that
should have access (this can be done by making those
accounts members of Users). I assume that you have
already removed Domain Users from Users.

-- 
Roger Abell
MS MVP (Security, Windows), MCDBA,  MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
"John" <j@nowhere101.com> wrote in message news:uoVrxU3ADHA.1820@TK2MSFTNGP12.phx.gbl...
> I am a Windows XP Pro computer (workstation) on a Windows NT Domain.  How do
> I go about configuring my computer so that nobody else can log onto my PC?
> It seems that anyone who can authenticate to the domain can use my PC.  I
> see this as a security problem since anyone of the company's users can walk
> into my office, log onto my PC and start poking around.
> 
> I have removed everybody from the local Admin group except for myself so it
> appears as though they are all in the Users group.
> 
> Does this have something to do with the NT AUTHORITY\Authenticated Users or
> NT AUTHORITY\INTERACTIVE settings I see in the list of members in the Users
> group?
> 
> 
>

Next message: Roger Abell [MVP]: "Re: Troubleshooting XP bugchecks"
Previous message: Weichert: "Deactivate Icons and programs that load for User with LIMITED USER ACCESS"
In reply to: John: "Domain Users"
Next in thread: John: "Re: Domain Users"
Reply: John: "Re: Domain Users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Group shows members SID instead of account name
... I have 2 Windows 2000 Servers SP4 as ... local user accounts. ... domain user to the group but their SID only displays. ... > members box instead of the account name. ...
(microsoft.public.win2000.active_directory)
Re: Non-admin accounts logon problem...
... users are all in the users group, ... non-admin account I use normally. ... the user reboot the machine and the computer is ... >> When I tried to log on as non-administrator accounts, ...
(microsoft.public.windowsxp.security_admin)
Re: Local Users Group - Safefly removing users ?
... what remains in the Users group. ... if only locally defined non-guest accounts ... no. Denying local login is done with the Deny login locally user right. ... Notice that I have a few times qualified with "member" by which I have ...
(microsoft.public.security)
Re: Icons and taskbar do not load upon bootup
... using the Admin accounts, once back up and running I will switch the accounts ... Running Windows 2000 or Windows XP as an administrator makes the system ... unfamiliar Internet site may have Trojan horse code that can be downloaded ... You should add yourself to the Users or Power Users group. ...
(microsoft.public.windowsxp.help_and_support)
Re: Non-admin accounts logon problem...
... Users group makes them able to do so. ... the user reboot the machine and the computer is ... and then all the non-admin accounts are ... >>> When I tried to log on as non-administrator accounts, ...
(microsoft.public.windowsxp.security_admin)