[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

Why is the domain users group a member of the local users group on windows servers?

Why is the "domain users" group a member of the "local users group" on windows 2003/2008 servers? This is even true for our domain controllers. I know the domain user group is added to the local users group on a workstation when it is added to the domain. But isn't this a security risk for servers? This allows any user in the domain  to login to the server console and run programs or delete files from the system volume. Since our users never log on to the server console then is there any reason for me not to remove this group from local users group on all our servers?
0
ei00004
Asked:
ei00004
  • 4
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
The Domain Users group is Added to the Local Admins group by default. It's necessary to have it that way because Every User in the domain is a Domain User, even the Domain Admins. There isn't really a way to block regular domain users from being able to log in locally to a Domain Controller, because doing so would block users from logging in to any computers on the network. However, domain users do not have enough access to make major modifications to Active Directory or the files necessary for AD to operate. A regular Domain User, by default, can't easily break a Domain Controller if they are able to log in to it.
0
 
Adam BrownSr Solutions ArchitectCommented:
Sorry, confused Servers for Domain Controllers. For servers, you can remove the Domain Users group from the Local Users group without much issue. What is actually a better way to handle it, though, is through the User Rights Assignment section of group policy. Computer Configuration\Windows Settings\Security Settings\Local Settings\User Rights Assignment
has a number of rights that can be associated with users and groups. The Allow Log on Locally right can be configured to allow only an Administrative user group to log in locally, which will do the same as removing the Domain Users group from the Local Users group.
0
 
ei00004Author Commented:
I noticed the Domain Users group is added to the "Local Users" group on every member server in our domain too. I just did some testing on a Windows 2003 member server, logging in as a typical domain user on the 2003 console I cannot delete any files or folders on the C:\ volume that I (as the domain user) did not create. I cannot even create a file on the C:\ volume, however I  can create a folder and then create files inside the folder I created. I can also delete files from this folder and can also delete this folder but that's about it.

However, I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
ei00004Author Commented:
The Allow Log on Locally right, yes I forgot about that, so many policies and groups to keep up with. :-) I believe that should work for me.
0
 
ei00004Author Commented:
Setting the  Allow Log on Locally right on the DC's should keep users from logging into the domain controller's console, but not from logging into the network from a workstation, right?
0
 
kevinhsiehCommented:
By default, a user needs to be more than a user/domain user to logon to the console on a server. Only the various administrators have the logon locally right. By default, if you haven't gone changing NTFS, rights, or groups your servers should be reasonably secure. A bigger concern would be places where NTFS permissions allow everyone or users WRITE access over the network where they should anly have READ. Windows 2008/R2 do a good job of having reasonable security settings. Windows 2000 defaulted to EVERYONE full control.

The Allow Log on Locally right is set for the domain controllers as a group, and then all other servers and workstations can have their own settings. Normally you don't need to change them unless you have unusual requirements like normal users logging into a server or workstations where certain users are prohibited from logging onto.
0
 
ei00004Author Commented:
This question was not answered:
Setting the  Allow Log on Locally right on the DC's should keep users from logging into the domain controller's console, but not from logging into the network from a workstation, right?

I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now