PHWinfo - Afficher un message

04/05/2008, 12h38

A 2x4 is being too gentle. "Tactical Nuclear Device" is what comes to
mind for me... ;-)

I'm *still* running into places 6 years later where "everyone" has
rights to certain resources. I change them to "Domain Users" at a minimum...

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

kj [SBS MVP] wrote:
> Jordy wrote:
>> Hello
>>
>> I looked at User rights, log on Locally. I have the group
>> Administrators, which I assume is a local group, in that local group,
>> I have pushed down Domain admins and Local Admins. Everyone is part
>> of the local Admins, which I assume explains the issue.
>>
>> No the golden question, how do I get around that

?
>
> "everyone" group is a member of Local Adminstrators? That would do it.
>
> Remove "Everyone" group from the "local adminstrators group " and track down
> who made that 'decision'. I know someone with a two by four you can borrow
> if needed.
>
>
>> Thanks
>>
>> "kj [SBS MVP]" wrote:
>>
>>> Jordy wrote:
>>>> Ya I understand about the locked down part, but at the moment, that
>>>> is not a solution. It will be in the future....
>>>>
>>>> But the end users still should not be able to login, and I don't
>>>> understand why. I have created a group policy that has restricted
>>>> groups in it to all all users to have local admin rights to there
>>>> PC's (I know, a bad idea, but needed at the moment).
>>>>
>>>> They are able to login to any server, these are not DC's...
>>>>
>>>> Thanks
>>> Sounds like "users" (Domain Users?) have been granted the "logon
>>> locally right" which is not by default. Because this sounds like
>>> multiple servers it likely has been set in some group policy
>>> setting. Check one of your servers to see if it has in fact been
>>> set, then you'll need to track down where.
>>>
>>>>
>>>> "Lanwench [MVP - Exchange]" wrote:
>>>>
>>>>> Jordy <Jordy@discussions.microsoft.com> wrote:
>>>>>> Hello
>>>>>>
>>>>>> Is there a way to prevent users (not domain admins) from login
>>>>>> into servers. We have an enviroment were the servers are
>>>>>> accessable to end users
>>>>> You should have a locked cabinet or room, apart from everything
>>>>> else. If you don't have physical security you don't have any
>>>>> security at all.
>>>>>
>>>>>> and I need to prevent them from Login into the server directly,
>>>>> End users should not be able to log into your servers now, either
>>>>> at the console or via RD (unless this is a terminal server). Are
>>>>> they? If so, perhaps they're members of groups they shouldn't be -
>>>>> or someone has been monkeying around with policies.
>>>>>
>>>>>> but still have access to file and print when they login to
>>>>>> workstation.
>>>>>>
>>>>>> Thanks
>>> --
>>> /kj
>
A 2x4 is being to gentle. Tactical Nuclear Device is what comes to mind
for me... ;-)

I'm still running into places 6 years later where "everyone" has rights
to resources. I change them to "Domain Users" at a minimum...

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

04/05/2008, 12h38	#7
Hank Arnold (MVP) Messages: n/a Hébergeur:	Re: Prevent users from login into servers A 2x4 is being too gentle. "Tactical Nuclear Device" is what comes to mind for me... ;-) I'm still running into places 6 years later where "everyone" has rights to certain resources. I change them to "Domain Users" at a minimum... -- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services kj [SBS MVP] wrote: > Jordy wrote: >> Hello >> >> I looked at User rights, log on Locally. I have the group >> Administrators, which I assume is a local group, in that local group, >> I have pushed down Domain admins and Local Admins. Everyone is part >> of the local Admins, which I assume explains the issue. >> >> No the golden question, how do I get around that ? > > "everyone" group is a member of Local Adminstrators? That would do it. > > Remove "Everyone" group from the "local adminstrators group " and track down > who made that 'decision'. I know someone with a two by four you can borrow > if needed. > > >> Thanks >> >> "kj [SBS MVP]" wrote: >> >>> Jordy wrote: >>>> Ya I understand about the locked down part, but at the moment, that >>>> is not a solution. It will be in the future.... >>>> >>>> But the end users still should not be able to login, and I don't >>>> understand why. I have created a group policy that has restricted >>>> groups in it to all all users to have local admin rights to there >>>> PC's (I know, a bad idea, but needed at the moment). >>>> >>>> They are able to login to any server, these are not DC's... >>>> >>>> Thanks >>> Sounds like "users" (Domain Users?) have been granted the "logon >>> locally right" which is not by default. Because this sounds like >>> multiple servers it likely has been set in some group policy >>> setting. Check one of your servers to see if it has in fact been >>> set, then you'll need to track down where. >>> >>>> >>>> "Lanwench [MVP - Exchange]" wrote: >>>> >>>>> Jordy <Jordy@discussions.microsoft.com> wrote: >>>>>> Hello >>>>>> >>>>>> Is there a way to prevent users (not domain admins) from login >>>>>> into servers. We have an enviroment were the servers are >>>>>> accessable to end users >>>>> You should have a locked cabinet or room, apart from everything >>>>> else. If you don't have physical security you don't have any >>>>> security at all. >>>>> >>>>>> and I need to prevent them from Login into the server directly, >>>>> End users should not be able to log into your servers now, either >>>>> at the console or via RD (unless this is a terminal server). Are >>>>> they? If so, perhaps they're members of groups they shouldn't be - >>>>> or someone has been monkeying around with policies. >>>>> >>>>>> but still have access to file and print when they login to >>>>>> workstation. >>>>>> >>>>>> Thanks >>> -- >>> /kj > A 2x4 is being to gentle. Tactical Nuclear Device is what comes to mind for me... ;-) I'm still running into places 6 years later where "everyone" has rights to resources. I change them to "Domain Users" at a minimum... -- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services