Re: Why 'allow log on locally" is not configured by default??

To logon locally you would have to be sitting in front of the console or use
Terminal services. It has nothing to do with an o/s.

--
Paul Bergson

MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

<dav.stock99@xxxxxxxxx> wrote in message
news:1155858204.188899.138840@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Paul Bergson wrote:
Inline

--
Paul Bergson

MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

<dav.stock99@xxxxxxxxx> wrote in message
news:1155797783.184504.311220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I was confused about the word 'interactively'. I thoguht that mean you
hit control-alt-del. I got error message about login interractively if
i don't add user name into 'allow to log on locally'.

There are two policy under admin tools -> domain controller security
policy and domain security policy , where both got allow to logon
locally. I presume the first one refer to ctrl-alt-del login on the
ACTUAL DC machine.

Domain Controller policy impacts ALL dc's in your network. Domain policy
impacts ALL machines in your network.


What i dont' understand is how user get authenticate if they don't log
into dc (via xp for example)? I look up some forum , and it seems that
member server within the domain will query dc and verify your identity.
So normal user never really need to log on to dc whether via xp.

They aren't attempting to logon to your dc, they are however requesting
that
the DC provide information to the machine that is looking to connect a
user
to the domain. A user walks up to a workstation enters their user id and
password, the machine takes this information and provides it to the dc
asking it if it is ok that this user log onto this workstation, the
workstation is truxting the dc to let him know whether or not this uses
is
trustworthy to log onto the local workstation. At no point is the user
logging onto the dc, the workstation is just getting information provided
to
it to determine what this user is allowed to do in the domain.


So does the 'allow local login' of Domain controller policy enable xp
user to log into dc? Or xp user can only logon to domain not domain
controller(regardless GP tunning)?





Dan wrote:
I don't think you're understanding the point the book is making. By
logging
onto the domain controller the book means actually hitting
control-alt-delete
on the domainn controller server and logging on; actual authentication
(which
you are talking about) is allowed and is necessary to logon.
Thanks,
Dan

"dav.stock99@xxxxxxxxx" wrote:





HI,

I am learning Ms Active Direcotry the moment. But i am a bit
confused
why we would stop user to log on to
domain controller. Isn't all user in windows network implemented
with
AD need to log on to server for authtication purpose? I can't think
about a any situation this not the case. Can anyone help me to clear
off this concept.
sybex: 70-290 pg 142
"NOrmally you don't want regular users to log on to domain
controllers
so this actions isn't allowed by defult.

thx in advance
chris






.

Relevant Pages

  • Re: logon from the server machine !
    ... >The default Domain Controller policy in Windows Server ... >Security Policy setting. ... Allow Local Logon ...
    (microsoft.public.windows.server.general)
  • Re: Local admin rights not flowing through
    ... It sounds like it could be a problem with contacting the domain controller ... You can check the security log on the client workstation, ... assuming auditing of logon events is enabled as shown in Local Security ... >>> the profile. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to use Remote desktop
    ... When trying to connect to a W2K domain controller running Terminal ... Services with Application Server mode for user access, you as a TS user may ... receive "The local policy of this system does not permit you to logon ...
    (microsoft.public.windowsxp.network_web)
  • Re: Win2000 Terminal Server Logons not permitted
    ... > Is the terminal server also a Domain Controller? ... When we try to logon ... >>>> We have changed permissions in Domain Security Policy, ...
    (microsoft.public.win2000.group_policy)
  • Re: Default Domain Policy vs Default Domain Controller Policy
    ... for both success and failure in Domain Controller Security Policy. ... Security Policy got it to work. ... authenticated by a domain controller and a logon failure to the domain ...
    (microsoft.public.cert.exam.mcse)