Link to home
Start Free TrialLog in
Avatar of dmanisit

asked on

Server 2003 Local Logons

Hi guys, I currently have a domain server. I recently discovered that a Domain User can login to the console. I created a Test.User account in Active Directory and ONLY gave that user Domain User group. I then went to the server and was able to login. I am currently blocking GPO to this server, I went in and checked the Local Security Policies and the only thing I see that stands out is this account NT AUTHORITY/Authenticated Users (S-1-5-11)

How can I keep domain users from logging in
Avatar of bigbigpig

Local security policy > user rights assignment > Deny log on locally
Avatar of dmanisit


I cant dent Domain Users there, as EVERYONE in the organization MUST be a member of Domain Users. That policy supersedes the Allow, therefore noone including domain admins could log in
What users or groups are in "Allow log on locally"?
Local Administrators, And a Domain Group I created to allow LOCAL logon, I have added 3 people to it. However, like I said, ALL users have Domain users group, so If I deny that, it supersedes the Allow policy
You mentioned in your question that Authenticated Users is in there... where do you see that?

What groups is the Test.User user account in?  Run 'net user Test.User' to list them.
Avatar of McKnife
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial