Re: Why 'allow log on locally" is not configured by default??

---

• From: dav.stock99@xxxxxxxxx
• Date: 16 Aug 2006 23:56:23 -0700

---

I was confused about the word 'interactively'. I thoguht that mean you
hit control-alt-del. I got error message about login interractively if
i don't add user name into 'allow to log on locally'.

There are two policy under admin tools -> domain controller security
policy and domain security policy , where both got allow to logon
locally. I presume the first one refer to ctrl-alt-del login on the
ACTUAL DC machine.

What i dont' understand is how user get authenticate if they don't log
into dc (via xp for example)? I look up some forum , and it seems that
member server within the domain will query dc and verify your identity.
So normal user never really need to log on to dc whether via xp.


Dan wrote:

I don't think you're understanding the point the book is making. By logging
onto the domain controller the book means actually hitting control-alt-delete
on the domainn controller server and logging on; actual authentication (which
you are talking about) is allowed and is necessary to logon.
Thanks,
Dan

"dav.stock99@xxxxxxxxx" wrote:

HI,

I am learning Ms Active Direcotry the moment. But i am a bit confused
why we would stop user to log on to
domain controller. Isn't all user in windows network implemented with
AD need to log on to server for authtication purpose? I can't think
about a any situation this not the case. Can anyone help me to clear
off this concept.
sybex: 70-290 pg 142
"NOrmally you don't want regular users to log on to domain controllers
so this actions isn't allowed by defult.

thx in advance
chris

.

---

• Follow-Ups:
  • Re: Why 'allow log on locally" is not configured by default??
    • From: Paul Bergson

• References:
  • Why 'allow log on locally" is not configured by default??
    • From: dav . stock99

• Prev by Date: RE: KDC
• Next by Date: Re: Workstation only sees 1 network share
• Previous by thread: Why 'allow log on locally" is not configured by default??
• Next by thread: Re: Why 'allow log on locally" is not configured by default??
• Index(es):
  • Date
  • Thread

---

Relevant Pages NAT-T / IPSEC issues...... ... I have an IPSEC policy set between a W2K3 server in a DMZ ... and a W2K3 Domain Controller on the internal network. ... (microsoft.public.security) Re: Terminal Server on a Domain Controller ... logons to a DC in your default domain and/or domain controller policy. ... > Win2003 Server with terminal server and active directory running on it. ... (microsoft.public.cert.exam.mcse) Re: Domain Controller locked up ... How do I tell which domain controller is the Global ... Catalog server? ... Global Cat server if it's not already? ... (microsoft.public.win2000.active_directory) Re: Domain Controller Security Policy ... Restricted Groups policy to selectively add user groups into built-in groups ... > but I want another policy for the Domain Controller (the current one is ... (microsoft.public.win2000.group_policy) RE: Migrating from AD 2000 to AD 2003 ... Next step is to make the new server a domain controller in an existing ... How to upgrade Windows 2000 domain controllers to Windows Server 2003 ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)