Solved

Logon Locally User Rights on Windows 2000

Posted on 2001-06-26
7
150 Views
Last Modified: 2010-04-13
After I configure the domain controller security policies using MS Security Configuration and Analysis tool, noone can logon to the domain, the error message they got is "The local policy of this system does not permit you to logon interactively". As my understanding, it is regarding the user rights of logon locally. By reviewing the security settings, on the domain controller security policy, logon locally user right is assigned to administrators, terminal clinets, and ftp clients only. By adding everyone group to the list, the problem is solved. My question is assigning logon locally rights to everyone means anyone can go to the server console and logon from there? is it a security hole? As my experience with NT 4.0, logon locally right is only granted to administrators and ftp/www clients. Any idea about how this work in Windows 2000?

Thanks in advance.
0
Comment
Question by:robert100
7 Comments
 
LVL 1

Expert Comment

by:nrajan
ID: 6229212
You should not set the 'logon locally' permissions for everyone. As you said they will be able to logon at the terminal. All you need to set is the 'Access this computer from a network' permissions for 'Everyone'
 
0
 

Author Comment

by:robert100
ID: 6229585
That was exactly what I originally did, but it didn't work.
By searching KB on MS site, this is what I found:

 http://support.microsoft.com/support/kb/articles/Q276/5/80.ASP

this article applies to SP1, that is what we have here, sp2 may solve that problem?

I really have no idea about this. With NT, it was fine to exclude any users except admin and ftp/www users.

What else should I do?
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6234681
-Put domain users back as having the 'logon locally' right in computer configuration.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:robert100
ID: 6260793
Yeah, thenks a lot. I tried that puting domain users there instead of everyone, but it doesn't prevent any users from loggin on to the server terminal!!! That is what we don't want, any idea?
0
 
LVL 1

Expert Comment

by:Dingus
ID: 6904202
Add everyone to the 'Print Operators' group. That will give them the right to logon locally, but they will not be able to have their way with the server, only the print jobs.

It's the easiest way to give everyone access to the Domain Controller/Terminal Server, but still limit their control.


Richard
0
 
LVL 5

Expert Comment

by:cempasha
ID: 8237118
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.

==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==

PaSHa

Cleanup volunteer



0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 8280177
Finalized as proposed

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question