?
Solved

Logon Locally User Rights on Windows 2000

Posted on 2001-06-26
7
Medium Priority
?
154 Views
Last Modified: 2010-04-13
After I configure the domain controller security policies using MS Security Configuration and Analysis tool, noone can logon to the domain, the error message they got is "The local policy of this system does not permit you to logon interactively". As my understanding, it is regarding the user rights of logon locally. By reviewing the security settings, on the domain controller security policy, logon locally user right is assigned to administrators, terminal clinets, and ftp clients only. By adding everyone group to the list, the problem is solved. My question is assigning logon locally rights to everyone means anyone can go to the server console and logon from there? is it a security hole? As my experience with NT 4.0, logon locally right is only granted to administrators and ftp/www clients. Any idea about how this work in Windows 2000?

Thanks in advance.
0
Comment
Question by:robert100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 1

Expert Comment

by:nrajan
ID: 6229212
You should not set the 'logon locally' permissions for everyone. As you said they will be able to logon at the terminal. All you need to set is the 'Access this computer from a network' permissions for 'Everyone'
 
0
 

Author Comment

by:robert100
ID: 6229585
That was exactly what I originally did, but it didn't work.
By searching KB on MS site, this is what I found:

 http://support.microsoft.com/support/kb/articles/Q276/5/80.ASP

this article applies to SP1, that is what we have here, sp2 may solve that problem?

I really have no idea about this. With NT, it was fine to exclude any users except admin and ftp/www users.

What else should I do?
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6234681
-Put domain users back as having the 'logon locally' right in computer configuration.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:robert100
ID: 6260793
Yeah, thenks a lot. I tried that puting domain users there instead of everyone, but it doesn't prevent any users from loggin on to the server terminal!!! That is what we don't want, any idea?
0
 
LVL 1

Expert Comment

by:Dingus
ID: 6904202
Add everyone to the 'Print Operators' group. That will give them the right to logon locally, but they will not be able to have their way with the server, only the print jobs.

It's the easiest way to give everyone access to the Domain Controller/Terminal Server, but still limit their control.


Richard
0
 
LVL 5

Expert Comment

by:cempasha
ID: 8237118
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.

==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==

PaSHa

Cleanup volunteer



0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 8280177
Finalized as proposed

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question