PHWinfo - Afficher un message

29/04/2008, 23h04

Jordy wrote:
> Hello
>
> I looked at User rights, log on Locally. I have the group
> Administrators, which I assume is a local group, in that local group,
> I have pushed down Domain admins and Local Admins. Everyone is part
> of the local Admins, which I assume explains the issue.
>
> No the golden question, how do I get around that

?

"everyone" group is a member of Local Adminstrators? That would do it.

Remove "Everyone" group from the "local adminstrators group " and track down
who made that 'decision'. I know someone with a two by four you can borrow
if needed.

>
> Thanks
>
> "kj [SBS MVP]" wrote:
>
>> Jordy wrote:
>>> Ya I understand about the locked down part, but at the moment, that
>>> is not a solution. It will be in the future....
>>>
>>> But the end users still should not be able to login, and I don't
>>> understand why. I have created a group policy that has restricted
>>> groups in it to all all users to have local admin rights to there
>>> PC's (I know, a bad idea, but needed at the moment).
>>>
>>> They are able to login to any server, these are not DC's...
>>>
>>> Thanks
>>
>> Sounds like "users" (Domain Users?) have been granted the "logon
>> locally right" which is not by default. Because this sounds like
>> multiple servers it likely has been set in some group policy
>> setting. Check one of your servers to see if it has in fact been
>> set, then you'll need to track down where.
>>
>>>
>>>
>>> "Lanwench [MVP - Exchange]" wrote:
>>>
>>>> Jordy <Jordy@discussions.microsoft.com> wrote:
>>>>> Hello
>>>>>
>>>>> Is there a way to prevent users (not domain admins) from login
>>>>> into servers. We have an enviroment were the servers are
>>>>> accessable to end users
>>>>
>>>> You should have a locked cabinet or room, apart from everything
>>>> else. If you don't have physical security you don't have any
>>>> security at all.
>>>>
>>>>> and I need to prevent them from Login into the server directly,
>>>>
>>>> End users should not be able to log into your servers now, either
>>>> at the console or via RD (unless this is a terminal server). Are
>>>> they? If so, perhaps they're members of groups they shouldn't be -
>>>> or someone has been monkeying around with policies.
>>>>
>>>>> but still have access to file and print when they login to
>>>>> workstation.
>>>>>
>>>>> Thanks
>>
>> --
>> /kj

--
/kj

29/04/2008, 23h04	#6
kj [SBS MVP] Messages: n/a Hébergeur:	Re: Prevent users from login into servers Jordy wrote: > Hello > > I looked at User rights, log on Locally. I have the group > Administrators, which I assume is a local group, in that local group, > I have pushed down Domain admins and Local Admins. Everyone is part > of the local Admins, which I assume explains the issue. > > No the golden question, how do I get around that ? "everyone" group is a member of Local Adminstrators? That would do it. Remove "Everyone" group from the "local adminstrators group " and track down who made that 'decision'. I know someone with a two by four you can borrow if needed. > > Thanks > > "kj [SBS MVP]" wrote: > >> Jordy wrote: >>> Ya I understand about the locked down part, but at the moment, that >>> is not a solution. It will be in the future.... >>> >>> But the end users still should not be able to login, and I don't >>> understand why. I have created a group policy that has restricted >>> groups in it to all all users to have local admin rights to there >>> PC's (I know, a bad idea, but needed at the moment). >>> >>> They are able to login to any server, these are not DC's... >>> >>> Thanks >> >> Sounds like "users" (Domain Users?) have been granted the "logon >> locally right" which is not by default. Because this sounds like >> multiple servers it likely has been set in some group policy >> setting. Check one of your servers to see if it has in fact been >> set, then you'll need to track down where. >> >>> >>> >>> "Lanwench [MVP - Exchange]" wrote: >>> >>>> Jordy <Jordy@discussions.microsoft.com> wrote: >>>>> Hello >>>>> >>>>> Is there a way to prevent users (not domain admins) from login >>>>> into servers. We have an enviroment were the servers are >>>>> accessable to end users >>>> >>>> You should have a locked cabinet or room, apart from everything >>>> else. If you don't have physical security you don't have any >>>> security at all. >>>> >>>>> and I need to prevent them from Login into the server directly, >>>> >>>> End users should not be able to log into your servers now, either >>>> at the console or via RD (unless this is a terminal server). Are >>>> they? If so, perhaps they're members of groups they shouldn't be - >>>> or someone has been monkeying around with policies. >>>> >>>>> but still have access to file and print when they login to >>>>> workstation. >>>>> >>>>> Thanks >> >> -- >> /kj -- /kj