Re: Allow log on locally in Default Domain Controller Policy.
- From: "<!-- The F-Word --> <? echo \"General Microcephalic S. Bob\"; ?> <!-- Antisocial Interfaces --> // 270-290-291-293-294-298-299" <{ http://www.planetoftheheads.com/ - head first into the future }>
- Date: Fri, 10 Jun 2005 22:20:42 -0700
rainman touches fat people... film at eleven...
"rainman" <news.76939@xxxxxxxxxxxxxxxxxxx> wrote in message
news:pridnRuKYcT1KTTfRVn-jQ@xxxxxxxxxxxxxxxxxxxxxx
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> There is one reason why a normal user needs logon locally permissions to
> the server: FTP via IIS. If the user needs FTP access to the server, you
> HAVE to give him local logon rights, just because that's the way IIS
> works.
>
> However, it is more likely the answer to this problem lies in my
> previous post in this thread...
>
> zenner wrote:
>> There is no reason that a normal user needs to logon to a Domain
>> Controller.
>> Anything he needs should be accessed through an API. Files are access
>> through shares, printers through spooler, applications through whatever
>> API
>> that the app provides. Only members of one of the Admin groups, by
>> default,
>> are allowed Logon rights to a DC. Member servers are an entirely
>> different
>> issue.
>>
>> Are we talking about the same thing?
>>
>> "zenner" <zenner@xxxxxxxxxxx> wrote in message
>> news:fnIpe.1581$Z44.602@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>
>>>Is your DC also serving double duty as possibly a File or Printer server?
>>>
>>>Your System Administrator may have an explanation, if you are not the
>>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
>>>about it and/or intended to include domain users in the "logon locally"
>>>permission list, and if so...why?
>>>
>>>Asked in the right way you may get an explanation that is reasonable,
>>>given the circumstances of your companies environment.
>>>
>>>Even the best guidelines have exceptions...that's why the are called
>>>Guideline, instead of rules.
>>>"Rebsu" <Rebsu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>news:BD38617E-5A13-4A21-A5D1-A7EB4A732294@xxxxxxxxxxxxxxxx
>>>
>>>>I was looking over our group policy settings while studying for 70-292
>>>>and
>>>>noticed that the group Domain Users is included in the Allow log on
>>>>locally
>>>>setting in the Default Domain Controller Policy. Is this ok or
>>>>dangerous?
>>>>Is it necessary? DCs are 2003 standard.
>>>
>>>
>>
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCqbRk9ZOMhmWO5XkRAjWvAJ0Z2HcgTi2RbCxmw/38TFnqVEimJACfeYyN
> MeUR8n07AJTwj/OlFoBrnCY=
> =fQ/S
> -----END PGP SIGNATURE-----
.
- References:
- Prev by Date: Re: MCSE to be scrapped
- Next by Date: Re: MCSE to be scrapped
- Previous by thread: Re: Allow log on locally in Default Domain Controller Policy.
- Next by thread: MCSE to be scrapped
- Index(es):
Relevant Pages
|
