ei00004
asked on
Why is the domain users group a member of the local users group on windows servers?
Why is the "domain users" group a member of the "local users group" on windows 2003/2008 servers? This is even true for our domain controllers. I know the domain user group is added to the local users group on a workstation when it is added to the domain. But isn't this a security risk for servers? This allows any user in the domain to login to the server console and run programs or delete files from the system volume. Since our users never log on to the server console then is there any reason for me not to remove this group from local users group on all our servers?
The Domain Users group is Added to the Local Admins group by default. It's necessary to have it that way because Every User in the domain is a Domain User, even the Domain Admins. There isn't really a way to block regular domain users from being able to log in locally to a Domain Controller, because doing so would block users from logging in to any computers on the network. However, domain users do not have enough access to make major modifications to Active Directory or the files necessary for AD to operate. A regular Domain User, by default, can't easily break a Domain Controller if they are able to log in to it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I noticed the Domain Users group is added to the "Local Users" group on every member server in our domain too. I just did some testing on a Windows 2003 member server, logging in as a typical domain user on the 2003 console I cannot delete any files or folders on the C:\ volume that I (as the domain user) did not create. I cannot even create a file on the C:\ volume, however I can create a folder and then create files inside the folder I created. I can also delete files from this folder and can also delete this folder but that's about it.
However, I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.
However, I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.
ASKER
The Allow Log on Locally right, yes I forgot about that, so many policies and groups to keep up with. :-) I believe that should work for me.
ASKER
Setting the Allow Log on Locally right on the DC's should keep users from logging into the domain controller's console, but not from logging into the network from a workstation, right?
By default, a user needs to be more than a user/domain user to logon to the console on a server. Only the various administrators have the logon locally right. By default, if you haven't gone changing NTFS, rights, or groups your servers should be reasonably secure. A bigger concern would be places where NTFS permissions allow everyone or users WRITE access over the network where they should anly have READ. Windows 2008/R2 do a good job of having reasonable security settings. Windows 2000 defaulted to EVERYONE full control.
The Allow Log on Locally right is set for the domain controllers as a group, and then all other servers and workstations can have their own settings. Normally you don't need to change them unless you have unusual requirements like normal users logging into a server or workstations where certain users are prohibited from logging onto.
The Allow Log on Locally right is set for the domain controllers as a group, and then all other servers and workstations can have their own settings. Normally you don't need to change them unless you have unusual requirements like normal users logging into a server or workstations where certain users are prohibited from logging onto.
ASKER
This question was not answered:
Setting the Allow Log on Locally right on the DC's should keep users from logging into the domain controller's console, but not from logging into the network from a workstation, right?
I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.
Setting the Allow Log on Locally right on the DC's should keep users from logging into the domain controller's console, but not from logging into the network from a workstation, right?
I can also run Adobe Acrobat from the C:\Programs Files\Adobe folder, so this tells me a domain user has the capability to run executables on this server. This is not a good thing and a possible security risk.