troubleshooting Question

Why are users allowed to Logon Locally to Member Servers by default?

Avatar of Neadom Tucker
Neadom TuckerFlag for United States of America asked on
OS SecurityWindows Server 2008Windows Server 2012
8 Comments2 Solutions231 ViewsLast Modified:
I found something interesting today and was hoping someone could point me in the right direction as to why.  It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.

I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally.  I did this on several machines. They can not on a DC but member servers they have access to.  I know they are not allowed for Logon Remotely.

I would think this would be a security hole.  In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx It appears as a standard configuration.  Is anyone out there modifying this setting?  If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.

Thanks for your insight.

Tucker
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 2 Answers and 8 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros