Solved

Logon Locally User Rights on Windows 2000

Posted on 2001-06-26
7
146 Views
Last Modified: 2010-04-13
After I configure the domain controller security policies using MS Security Configuration and Analysis tool, noone can logon to the domain, the error message they got is "The local policy of this system does not permit you to logon interactively". As my understanding, it is regarding the user rights of logon locally. By reviewing the security settings, on the domain controller security policy, logon locally user right is assigned to administrators, terminal clinets, and ftp clients only. By adding everyone group to the list, the problem is solved. My question is assigning logon locally rights to everyone means anyone can go to the server console and logon from there? is it a security hole? As my experience with NT 4.0, logon locally right is only granted to administrators and ftp/www clients. Any idea about how this work in Windows 2000?

Thanks in advance.
0
Comment
Question by:robert100
7 Comments
 
LVL 1

Expert Comment

by:nrajan
ID: 6229212
You should not set the 'logon locally' permissions for everyone. As you said they will be able to logon at the terminal. All you need to set is the 'Access this computer from a network' permissions for 'Everyone'
 
0
 

Author Comment

by:robert100
ID: 6229585
That was exactly what I originally did, but it didn't work.
By searching KB on MS site, this is what I found:

 http://support.microsoft.com/support/kb/articles/Q276/5/80.ASP

this article applies to SP1, that is what we have here, sp2 may solve that problem?

I really have no idea about this. With NT, it was fine to exclude any users except admin and ftp/www users.

What else should I do?
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6234681
-Put domain users back as having the 'logon locally' right in computer configuration.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:robert100
ID: 6260793
Yeah, thenks a lot. I tried that puting domain users there instead of everyone, but it doesn't prevent any users from loggin on to the server terminal!!! That is what we don't want, any idea?
0
 
LVL 1

Expert Comment

by:Dingus
ID: 6904202
Add everyone to the 'Print Operators' group. That will give them the right to logon locally, but they will not be able to have their way with the server, only the print jobs.

It's the easiest way to give everyone access to the Domain Controller/Terminal Server, but still limit their control.


Richard
0
 
LVL 5

Expert Comment

by:cempasha
ID: 8237118
Dear questionner/expert(s)

No comment has been added lately, so it's time to clean up this TA.
I'll leave a recommendation in the Cleanup topic area that this question is to be:

- PAQ'd and pts removed

Please leave any comments here within the next seven days.

==> PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ! <==

PaSHa

Cleanup volunteer



0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 8280177
Finalized as proposed

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hyena v12.2 is now available for downloading and is available in English, French, German and Spanish versions.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now