I found something interesting today and was hoping someone could point me in the right direction as to why. It has always been my understanding that users could not logon to locally to a server unless they were given the right in the User Rights Assignment of the Local Policy or via GPO.
I logged into a clients servers this afternoon and found that the Local Users group is allowed to Logon Locally. I did this on several machines. They can not on a DC but member servers they have access to. I know they are not allowed for Logon Remotely.
I would think this would be a security hole. In reading the following: http://technet.microsoft.com/en-us/library/dn221980(v=ws.10).aspx
It appears as a standard configuration. Is anyone out there modifying this setting? If so, how are you determining if it is ok to remove the users group form the logon locally rights assignment.
Thanks for your insight.