Why is the Domain Users group part of the local Users group on Server 2003 installs?
Posted on 2007-07-31
Greetings everyone -
I just noticed that Microsoft appears to be included the Domain Users group in the local Users group on Windows Server 2003 installs. Or is this a Service Pack #2 change?
Either way, does anyone know what the reasoning is for this? While this does not allow regular Domain Users to logon via Remote Desktop, it *DOES* allow them to logon interactively if they have console access to the server. I find this to be troublesome.
When I removed Domain Users from the local Users group on the server, I ran into Printer sharing permissions issues and a variety of other quirks. When I put it back, everything works just fine.
I'm working if anyone knows what the reasoning is for this change and how any of the rest of you are dealing with the security issue of having Domain Users be able to logon locally at the server's console. I'm really interested in the reasoning Microsoft had for doing this so if you only answer one part of the question, that's what I'm primarily curious about.
Thanks in advance!