Solved

Local users and groups

Posted on 2006-11-16
11
451 Views
Last Modified: 2012-08-31
i have a windows 2003 server and i can't find "local users and groups."  i have gone to the computer management screen and i thought that "local users and groups" should be on that screen under "system tools" but it is not there.  what am i missing?
0
Comment
Question by:scottspivey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 350 total points
ID: 17960123
Sounds like your machine is a Domain Controller. Once its a DC, there is no more SAM (local Users and Groups), you access users through the AD Users and Computers snap in
0
 
LVL 1

Author Comment

by:scottspivey
ID: 17960167
so when i go to administrative tools and i have AD users and computers that is all i will have on this server?  so then do i set up users as administrators and such when my machine is a domain controller?  i need to add a user to allow them to logon to the server through RPD but i don't want them to have full access to my machine.  i thought i controlled that by the group i added them to.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17960230
yes that computer is a domain controller.

>>then do i set up users as administrators and such when my machine is a domain controller?
no, there is NO such thing as a local user or a local group on a domain controller,,,, that is why you don't see the local users and groups in system tools
if you would like to allow a user to log into your DC via remote desktop connection
1. enable remote desktop connection on that machine if you haven't already
2. create an account for them in active directory users and computers
3. go back into remote desktop connection and allow that person to use RDC
4.  if you allow a user to log in 'locally' like this to your DC, they can do basically whatever they want unless you REALLY tweak their account

0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17960613
you want to keep that machine away from users as much as possible, this is like the entire engine of your domain
0
 
LVL 1

Author Comment

by:scottspivey
ID: 17960966
so then if i go to each individual user account can i keep them from being able to access this machine through RDC?
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 150 total points
ID: 17961000
>>so then if i go to each individual user account can i keep them from being able to access this machine through RDC?
no, just the opposite.  Only select the users you WANT to give access to when you are setting up RDC.  you do this by rightclicking 'my computer' choose properties, then go to the remote tab, then select 'select remote users'
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17961030
you can also enable or disable the terminal service logon right on the user account itself - if they are going to log on they will need to be part of the "remote desktop users group"
0
 
LVL 1

Author Comment

by:scottspivey
ID: 17961032
preciate the help guys and the quick response.  i will get this all cleaned up and be on my way.

thx.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 17961111
On a domain controller, there are no local users and groups, they are all domain-level users and groups.  Access to the domain controller itself is, as you thought, controlled through group membership.  The only user that, by default, has the ability to log on directly to the domain controller is the Administrator account, by virtue of its membership in the Built-in Administrators group.  When you create new users in AD Users and Computers, their default group membership is the Domain Users group as well as several "hidden" group (hidden in that they don't show on the group membership list), one of which is Authenticated Users.  This Domain Users group has access to the domain controller machine and files and folders stored or applications running on it only by logging on at a workstation that is a member of the domain.  The Authenticated Users group is a built-in group that can be used to specify that a right or permission is given to the users only after they have been authenticated (i.e., logged in) on the domain.  

You do NOT want to allow your users to log directly on to the domain controller.  This is a huge security risk to your software and data.  However, there are some types of connections that require the user to have "log on locally" rights, even though they are not actually physically sitting at the machine.  If this is the case, you can give the Authenticated Users group "log on locally" rights by editing the Domain Controllers Security Policy.  To do this:

1. Open the DC security policy management console from your Administrative Tools menu. Expand the Security Settings/ Local Policies object and click on User Rights Assignment.

2. On the right-hand pane, there is a list of rights.  Find the "Log on locally" right, double-click it and click Add User or Group to add the Authenticated Users group to this right.

Hope this helps!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17961162
Cheers mate and all the best
0
 
LVL 1

Expert Comment

by:internethotspot
ID: 24309497
I am in the same boat, HOWEVER I don't want to continue using the machine as a 'Domain Controller'.  Instead, I clicked on Start - Run - DCPROMO /FORCEREMOVAL

This should force the removal of the domain controller, essentially demoting the machine back to a member server instead of it being a domain controller.

However this is esentially a rollback, and everything the Active Directory created will be removed and control given back to the registry & SAM.  If this doesn't work, I will reinstall the entire server... ack!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question