Re: Why 'allow log on locally" is not configured by default??
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Thu, 17 Aug 2006 07:36:47 -0500
Inline
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
<dav.stock99@xxxxxxxxx> wrote in message
news:1155797783.184504.311220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I was confused about the word 'interactively'. I thoguht that mean you
hit control-alt-del. I got error message about login interractively if
i don't add user name into 'allow to log on locally'.
There are two policy under admin tools -> domain controller security
policy and domain security policy , where both got allow to logon
locally. I presume the first one refer to ctrl-alt-del login on the
ACTUAL DC machine.
Domain Controller policy impacts ALL dc's in your network. Domain policy
impacts ALL machines in your network.
What i dont' understand is how user get authenticate if they don't log
into dc (via xp for example)? I look up some forum , and it seems that
member server within the domain will query dc and verify your identity.
So normal user never really need to log on to dc whether via xp.
They aren't attempting to logon to your dc, they are however requesting that
the DC provide information to the machine that is looking to connect a user
to the domain. A user walks up to a workstation enters their user id and
password, the machine takes this information and provides it to the dc
asking it if it is ok that this user log onto this workstation, the
workstation is truxting the dc to let him know whether or not this uses is
trustworthy to log onto the local workstation. At no point is the user
logging onto the dc, the workstation is just getting information provided to
it to determine what this user is allowed to do in the domain.
Dan wrote:
I don't think you're understanding the point the book is making. By
logging
onto the domain controller the book means actually hitting
control-alt-delete
on the domainn controller server and logging on; actual authentication
(which
you are talking about) is allowed and is necessary to logon.
Thanks,
Dan
"dav.stock99@xxxxxxxxx" wrote:
HI,
I am learning Ms Active Direcotry the moment. But i am a bit confused
why we would stop user to log on to
domain controller. Isn't all user in windows network implemented with
AD need to log on to server for authtication purpose? I can't think
about a any situation this not the case. Can anyone help me to clear
off this concept.
sybex: 70-290 pg 142
"NOrmally you don't want regular users to log on to domain controllers
so this actions isn't allowed by defult.
thx in advance
chris
.
- Follow-Ups:
- Re: Why 'allow log on locally" is not configured by default??
- From: dav . stock99
- Re: Why 'allow log on locally" is not configured by default??
- References:
- Why 'allow log on locally" is not configured by default??
- From: dav . stock99
- Re: Why 'allow log on locally" is not configured by default??
- From: dav . stock99
- Why 'allow log on locally" is not configured by default??
- Prev by Date: Re: Global Group or Universal Group???
- Next by Date: Re: Windows Server 2003 R2 Active Directory integration
- Previous by thread: Re: Why 'allow log on locally" is not configured by default??
- Next by thread: Re: Why 'allow log on locally" is not configured by default??
- Index(es):
Relevant Pages
|
