Why is the Domain Users group part of the local Users group on Server 2003 installs?

Posted on 2007-07-31
Last Modified: 2010-08-05
Greetings everyone -

I just noticed that Microsoft appears to be included the Domain Users group in the local Users group on Windows Server 2003 installs.  Or is this a Service Pack #2 change?

Either way, does anyone know what the reasoning is for this?  While this does not allow regular Domain Users to logon via Remote Desktop, it *DOES* allow them to logon interactively if they have console access to the server.  I find this to be troublesome.

When I removed Domain Users from the local Users group on the server, I ran into Printer sharing permissions issues and a variety of other quirks.  When I put it back, everything works just fine.

I'm working if anyone knows what the reasoning is for this change and how any of the rest of you are dealing with the security issue of having Domain Users be able to logon locally at the server's console.  I'm really interested in the reasoning Microsoft had for doing this so if you only answer one part of the question, that's what I'm primarily curious about.

Thanks in advance!
Question by:amendala
    LVL 24

    Expert Comment

    You can remove logon interactively through group policy.
    LVL 82

    Accepted Solution

    That has always be the case (well, at least from NT4 and later, but was very likely already implemented in NT 3.5).
    The only type of servers where regular users could never logon by default is a DC.
    Why? Well, you noticed it yourself: servers offer network resources to users, and in order for the users to be allowed access, they need a certain set of permissions.
    This is actually not that much of a security issue. To start with, servers are usually not accessible to users anyway, because they're in a dedicated room with AC and a lock. And if they have physical access, you have a lot more issues than worrying about them logging on with user accounts. There's not so much a user can do from a console session if the security is set correctly. But with physical access, they can unplug the power cable, unplug the network cable, boot with the recovery console, boot with BART, reset the local admin password (which is when you will indeed have security issues ...), remove the hard drives, remove the complete machine ...

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now