[Last Call] Learn how to a build a cloud-first strategyRegister Now


Why is the Domain Users group part of the local Users group on Server 2003 installs?

Posted on 2007-07-31
Medium Priority
Last Modified: 2010-08-05
Greetings everyone -

I just noticed that Microsoft appears to be included the Domain Users group in the local Users group on Windows Server 2003 installs.  Or is this a Service Pack #2 change?

Either way, does anyone know what the reasoning is for this?  While this does not allow regular Domain Users to logon via Remote Desktop, it *DOES* allow them to logon interactively if they have console access to the server.  I find this to be troublesome.

When I removed Domain Users from the local Users group on the server, I ran into Printer sharing permissions issues and a variety of other quirks.  When I put it back, everything works just fine.

I'm working if anyone knows what the reasoning is for this change and how any of the rest of you are dealing with the security issue of having Domain Users be able to logon locally at the server's console.  I'm really interested in the reasoning Microsoft had for doing this so if you only answer one part of the question, that's what I'm primarily curious about.

Thanks in advance!
Question by:amendala
LVL 24

Expert Comment

ID: 19604772
You can remove logon interactively through group policy.
LVL 85

Accepted Solution

oBdA earned 1500 total points
ID: 19604929
That has always be the case (well, at least from NT4 and later, but was very likely already implemented in NT 3.5).
The only type of servers where regular users could never logon by default is a DC.
Why? Well, you noticed it yourself: servers offer network resources to users, and in order for the users to be allowed access, they need a certain set of permissions.
This is actually not that much of a security issue. To start with, servers are usually not accessible to users anyway, because they're in a dedicated room with AC and a lock. And if they have physical access, you have a lot more issues than worrying about them logging on with user accounts. There's not so much a user can do from a console session if the security is set correctly. But with physical access, they can unplug the power cable, unplug the network cable, boot with the recovery console, boot with BART, reset the local admin password (which is when you will indeed have security issues ...), remove the hard drives, remove the complete machine ...

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
Most folks would know the basics of how Dropbox works, so that’s not the purpose of this article. Security is what it’s all about, so here I’ll share how I choose to secure my Dropbox Account and the Data it contains.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question