Re: Allow log on locally in Default Domain Controller Policy.

There is no reason that a normal user needs to logon to a Domain Controller.
Anything he needs should be accessed through an API. Files are access
through shares, printers through spooler, applications through whatever API
that the app provides. Only members of one of the Admin groups, by default,
are allowed Logon rights to a DC. Member servers are an entirely different
issue.

Are we talking about the same thing?

"zenner" <zenner@xxxxxxxxxxx> wrote in message
news:fnIpe.1581$Z44.602@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Is your DC also serving double duty as possibly a File or Printer server?
>
> Your System Administrator may have an explanation, if you are not the
> sysAdmin...then ask him or her (respectfully, if possible.) if they knew
> about it and/or intended to include domain users in the "logon locally"
> permission list, and if so...why?
>
> Asked in the right way you may get an explanation that is reasonable,
> given the circumstances of your companies environment.
>
> Even the best guidelines have exceptions...that's why the are called
> Guideline, instead of rules.
> "Rebsu" <Rebsu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:BD38617E-5A13-4A21-A5D1-A7EB4A732294@xxxxxxxxxxxxxxxx
>>I was looking over our group policy settings while studying for 70-292 and
>> noticed that the group Domain Users is included in the Allow log on
>> locally
>> setting in the Default Domain Controller Policy. Is this ok or
>> dangerous?
>> Is it necessary? DCs are 2003 standard.
>
>


.

Relevant Pages

  • Re: Auditing User logon/logoff events.
    ... u say in the document like i enabled "Account logon events" only in domain ... Then i am getting 672,673 event ids in my domain controllers event viewer. ... can see this log in domain controller security log. ...
    (microsoft.public.win2000.security)
  • Re: remote desktop rights on domain controller
    ... First of for domain controllers user rights must be configured in Domain ... Controller Security Policy - not local policy. ... The user right for logon ... Group on the domain controller if using Windows 2003. ...
    (microsoft.public.windows.server.security)
  • Re: How to remove a cached password?
    ... See if another domain user can logon to it or not, ... a domain controller is that it has incorrect dns settings. ... The login used on the laptop is the same ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why allow log on locally" is not configured by default??
    ... To logon locally you would have to be sitting in front of the console or use ... There are two policy under admin tools -> domain controller security ... Domain Controller policy impacts ALL dc's in your network. ... asking it if it is ok that this user log onto this workstation, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Custom rights
    ... By default any user can log onto a server other than domain controller. ... allow then to logon to a domain controller give them the logon locally user ... To add computers to the domain go to AD Users and Computers. ... > Look into AD delegation, though you may need to do some custom delegation. ...
    (microsoft.public.win2000.security)