General discussion

Locked

Everyone can logon locally to servers

By NICS ·
I have just discovered that all users can logon locally to our Windows 2000 Servers. Obviously I want to change this immediately. What is the best practice for changing this to local Admins and Domain Admins only. Some of the servers are domain controllers, and some are not. Do I use local security policy for non-DCs and Domain Controller security policy for DCs?

Thanks

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Everyone can logon locall ...

log on locally meaning ??? there are 2 types of local access. local to the specific computer and local domain.

Collapse -

by CG IT In reply to

yep answer # 2 has it. just change the local computer security policy on the server to deny logon to everyone BUT admins.

Collapse -

by NICS In reply to Everyone can logon locall ...

I mean log onto the domain form the server itself. The real problem is that many of the drives have top level security permissions of Everyone FC - and this leaves a lot open. If only admins could access the server it would help minimise the risk until I test & change all permissions. All servers are in cold rooms, but I need to address some particular security risks.

Hope this clears things up.

Thanks

Collapse -

by NICS In reply to

Poster rated this answer.

Collapse -

by briantruitt In reply to Everyone can logon locall ...

You should be able to specify which users or groups can logon locally. Go to your Domain Security Policy, Local Policies, and click on User Rights Assignment. Over in the Display Pane should be a policy for Deny Logon Locally. It's not defined by default. Go ahead and define that sucker and you're back in business cowboy.

Collapse -

by omie In reply to Everyone can logon locall ...

So that nobody could log on ... instead of logging off .. amke a practice to lock the server. Nobody could log you off except network administrator or unless they will re-start the server.

Hope this helps..

Collapse -

by omie In reply to

rate the answers ??

Collapse -

by martin In reply to Everyone can logon locall ...

Hi, I assume that your users need administrator rights on the workstations so you have added them to the domain admins group on your server?

If this is the case, why not create a group say desktopadmin and add your users into this group then on your workstations you add the domain\desktopadmin to the local administrators group.

This way the users have full control of the workstation but not the servers.

Collapse -

by NICS In reply to Everyone can logon locall ...

Users do not need Admin access to workstations either. First off - I will change the local security policy to deny access to all other accounts (except admin) as suggested by Brian. We usually lock servers, but I just want to make sure that we have "best practice" in place.

Thanks for the advice - this should sort it out.

Collapse -

by NICS In reply to Everyone can logon locall ...

This question was closed by the author

Back to Windows Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums