Hank Arnold (MVP) wrote:
> A 2x4 is being too gentle. "Tactical Nuclear Device" is what comes to
> mind for me... ;-)

Quick and effective, but it's all over in a flash.

Excessive pain and suffering with the opportunity for multiple 'lessons' are
need here.

<g>

>
> I'm *still* running into places 6 years later where "everyone" has
> rights to certain resources. I change them to "Domain Users" at a
> minimum...
> --
>
> Regards,
> Hank Arnold
> Microsoft MVP
> Windows Server - Directory Services
>
> kj [SBS MVP] wrote:
>> Jordy wrote:
>>> Hello
>>>
>>> I looked at User rights, log on Locally. I have the group
>>> Administrators, which I assume is a local group, in that local
>>> group, I have pushed down Domain admins and Local Admins. Everyone
>>> is part of the local Admins, which I assume explains the issue.
>>>
>>> No the golden question, how do I get around that ?
>>
>> "everyone" group is a member of Local Adminstrators? That would do
>> it. Remove "Everyone" group from the "local adminstrators group " and
>> track down who made that 'decision'. I know someone with a two by
>> four you can borrow if needed.
>>
>>
>>> Thanks
>>>
>>> "kj [SBS MVP]" wrote:
>>>
>>>> Jordy wrote:
>>>>> Ya I understand about the locked down part, but at the moment,
>>>>> that is not a solution. It will be in the future....
>>>>>
>>>>> But the end users still should not be able to login, and I don't
>>>>> understand why. I have created a group policy that has restricted
>>>>> groups in it to all all users to have local admin rights to there
>>>>> PC's (I know, a bad idea, but needed at the moment).
>>>>>
>>>>> They are able to login to any server, these are not DC's...
>>>>>
>>>>> Thanks
>>>> Sounds like "users" (Domain Users?) have been granted the "logon
>>>> locally right" which is not by default. Because this sounds like
>>>> multiple servers it likely has been set in some group policy
>>>> setting. Check one of your servers to see if it has in fact been
>>>> set, then you'll need to track down where.
>>>>
>>>>>
>>>>> "Lanwench [MVP - Exchange]" wrote:
>>>>>
>>>>>> Jordy <Jordy@discussions.microsoft.com> wrote:
>>>>>>> Hello
>>>>>>>
>>>>>>> Is there a way to prevent users (not domain admins) from login
>>>>>>> into servers. We have an enviroment were the servers are
>>>>>>> accessable to end users
>>>>>> You should have a locked cabinet or room, apart from everything
>>>>>> else. If you don't have physical security you don't have any
>>>>>> security at all.
>>>>>>
>>>>>>> and I need to prevent them from Login into the server directly,
>>>>>> End users should not be able to log into your servers now, either
>>>>>> at the console or via RD (unless this is a terminal server). Are
>>>>>> they? If so, perhaps they're members of groups they shouldn't be
>>>>>> - or someone has been monkeying around with policies.
>>>>>>
>>>>>>> but still have access to file and print when they login to
>>>>>>> workstation.
>>>>>>>
>>>>>>> Thanks
>>>> --
>>>> /kj
>>
> A 2x4 is being to gentle. Tactical Nuclear Device is what comes to
> mind for me... ;-)
>
> I'm still running into places 6 years later where "everyone" has
> rights to resources. I change them to "Domain Users" at a minimum...

--
/kj