Re: Allow log on locally in Default Domain Controller Policy.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is one reason why a normal user needs logon locally permissions to
the server: FTP via IIS. If the user needs FTP access to the server, you
HAVE to give him local logon rights, just because that's the way IIS works.

However, it is more likely the answer to this problem lies in my
previous post in this thread...

zenner wrote:
> There is no reason that a normal user needs to logon to a Domain Controller.
> Anything he needs should be accessed through an API. Files are access
> through shares, printers through spooler, applications through whatever API
> that the app provides. Only members of one of the Admin groups, by default,
> are allowed Logon rights to a DC. Member servers are an entirely different
> issue.
>
> Are we talking about the same thing?
>
> "zenner" <zenner@xxxxxxxxxxx> wrote in message
> news:fnIpe.1581$Z44.602@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>>Is your DC also serving double duty as possibly a File or Printer server?
>>
>>Your System Administrator may have an explanation, if you are not the
>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
>>about it and/or intended to include domain users in the "logon locally"
>>permission list, and if so...why?
>>
>>Asked in the right way you may get an explanation that is reasonable,
>>given the circumstances of your companies environment.
>>
>>Even the best guidelines have exceptions...that's why the are called
>>Guideline, instead of rules.
>>"Rebsu" <Rebsu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>news:BD38617E-5A13-4A21-A5D1-A7EB4A732294@xxxxxxxxxxxxxxxx
>>
>>>I was looking over our group policy settings while studying for 70-292 and
>>>noticed that the group Domain Users is included in the Allow log on
>>>locally
>>>setting in the Default Domain Controller Policy. Is this ok or
>>>dangerous?
>>>Is it necessary? DCs are 2003 standard.
>>
>>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCqbRk9ZOMhmWO5XkRAjWvAJ0Z2HcgTi2RbCxmw/38TFnqVEimJACfeYyN
MeUR8n07AJTwj/OlFoBrnCY=
=fQ/S
-----END PGP SIGNATURE-----
.

Relevant Pages

  • Re: Allow log on locally in Default Domain Controller Policy.
    ... If the user needs FTP access to the server, ... > HAVE to give him local logon rights, just because that's the way IIS ... >> There is no reason that a normal user needs to logon to a Domain ...
    (microsoft.public.cert.exam.mcse)
  • Re: Allow log on locally in Default Domain Controller Policy.
    ... has a reason for local access to a DC. ... Even placing an FTP server on a DC, ... you can still set up your permission to avoid giving local logon access to ... >> There is no reason that a normal user needs to logon to a Domain ...
    (microsoft.public.cert.exam.mcse)
  • Re: Allow log on locally in Default Domain Controller Policy.
    ... > has a reason for local access to a DC. ... Even placing an FTP server on a DC, ... > you can still set up your permission to avoid giving local logon access to ...
    (microsoft.public.cert.exam.mcse)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.dns)