Hello

Is there a way to prevent users (not domain admins) from login into servers.
We have an enviroment were the servers are accessable to end users and I need
to prevent them from Login into the server directly, but still have access to
file and print when they login to workstation.

Thanks

Jordy <Jordy@discussions.microsoft.com> wrote:
> Hello
>
> Is there a way to prevent users (not domain admins) from login into
> servers. We have an enviroment were the servers are accessable to end
> users

You should have a locked cabinet or room, apart from everything else. If you
don't have physical security you don't have any security at all.

> and I need to prevent them from Login into the server directly,

End users should not be able to log into your servers now, either at the
console or via RD (unless this is a terminal server). Are they? If so,
perhaps they're members of groups they shouldn't be - or someone has been
monkeying around with policies.

> but still have access to file and print when they login to
> workstation.
>
> Thanks

Ya I understand about the locked down part, but at the moment, that is not a
solution. It will be in the future....

But the end users still should not be able to login, and I don't understand
why. I have created a group policy that has restricted groups in it to all
all users to have local admin rights to there PC's (I know, a bad idea, but
needed at the moment).

They are able to login to any server, these are not DC's...

Thanks


"Lanwench [MVP - Exchange]" wrote:

> Jordy <Jordy@discussions.microsoft.com> wrote:
> > Hello
> >
> > Is there a way to prevent users (not domain admins) from login into
> > servers. We have an enviroment were the servers are accessable to end
> > users
>
> You should have a locked cabinet or room, apart from everything else. If you
> don't have physical security you don't have any security at all.
>
> > and I need to prevent them from Login into the server directly,
>
> End users should not be able to log into your servers now, either at the
> console or via RD (unless this is a terminal server). Are they? If so,
> perhaps they're members of groups they shouldn't be - or someone has been
> monkeying around with policies.
>
> > but still have access to file and print when they login to
> > workstation.
> >
> > Thanks
>
>
>
>
>
>

Jordy wrote:
> Ya I understand about the locked down part, but at the moment, that
> is not a solution. It will be in the future....
>
> But the end users still should not be able to login, and I don't
> understand why. I have created a group policy that has restricted
> groups in it to all all users to have local admin rights to there
> PC's (I know, a bad idea, but needed at the moment).
>
> They are able to login to any server, these are not DC's...
>
> Thanks

Sounds like "users" (Domain Users?) have been granted the "logon locally
right" which is not by default. Because this sounds like multiple servers it
likely has been set in some group policy setting. Check one of your servers
to see if it has in fact been set, then you'll need to track down where.

>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Jordy <Jordy@discussions.microsoft.com> wrote:
>>> Hello
>>>
>>> Is there a way to prevent users (not domain admins) from login into
>>> servers. We have an enviroment were the servers are accessable to
>>> end users
>>
>> You should have a locked cabinet or room, apart from everything
>> else. If you don't have physical security you don't have any
>> security at all.
>>
>>> and I need to prevent them from Login into the server directly,
>>
>> End users should not be able to log into your servers now, either at
>> the console or via RD (unless this is a terminal server). Are they?
>> If so, perhaps they're members of groups they shouldn't be - or
>> someone has been monkeying around with policies.
>>
>>> but still have access to file and print when they login to
>>> workstation.
>>>
>>> Thanks

--
/kj

Hello

I looked at User rights, log on Locally. I have the group Administrators,
which I assume is a local group, in that local group, I have pushed down
Domain admins and Local Admins. Everyone is part of the local Admins, which I
assume explains the issue.

No the golden question, how do I get around that ?

Thanks

"kj [SBS MVP]" wrote:

> Jordy wrote:
> > Ya I understand about the locked down part, but at the moment, that
> > is not a solution. It will be in the future....
> >
> > But the end users still should not be able to login, and I don't
> > understand why. I have created a group policy that has restricted
> > groups in it to all all users to have local admin rights to there
> > PC's (I know, a bad idea, but needed at the moment).
> >
> > They are able to login to any server, these are not DC's...
> >
> > Thanks
>
> Sounds like "users" (Domain Users?) have been granted the "logon locally
> right" which is not by default. Because this sounds like multiple servers it
> likely has been set in some group policy setting. Check one of your servers
> to see if it has in fact been set, then you'll need to track down where.
>
> >
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> Jordy <Jordy@discussions.microsoft.com> wrote:
> >>> Hello
> >>>
> >>> Is there a way to prevent users (not domain admins) from login into
> >>> servers. We have an enviroment were the servers are accessable to
> >>> end users
> >>
> >> You should have a locked cabinet or room, apart from everything
> >> else. If you don't have physical security you don't have any
> >> security at all.
> >>
> >>> and I need to prevent them from Login into the server directly,
> >>
> >> End users should not be able to log into your servers now, either at
> >> the console or via RD (unless this is a terminal server). Are they?
> >> If so, perhaps they're members of groups they shouldn't be - or
> >> someone has been monkeying around with policies.
> >>
> >>> but still have access to file and print when they login to
> >>> workstation.
> >>>
> >>> Thanks
>
> --
> /kj
>
>
>

Jordy wrote:
> Hello
>
> I looked at User rights, log on Locally. I have the group
> Administrators, which I assume is a local group, in that local group,
> I have pushed down Domain admins and Local Admins. Everyone is part
> of the local Admins, which I assume explains the issue.
>
> No the golden question, how do I get around that ?

"everyone" group is a member of Local Adminstrators? That would do it.

Remove "Everyone" group from the "local adminstrators group " and track down
who made that 'decision'. I know someone with a two by four you can borrow
if needed.


>
> Thanks
>
> "kj [SBS MVP]" wrote:
>
>> Jordy wrote:
>>> Ya I understand about the locked down part, but at the moment, that
>>> is not a solution. It will be in the future....
>>>
>>> But the end users still should not be able to login, and I don't
>>> understand why. I have created a group policy that has restricted
>>> groups in it to all all users to have local admin rights to there
>>> PC's (I know, a bad idea, but needed at the moment).
>>>
>>> They are able to login to any server, these are not DC's...
>>>
>>> Thanks
>>
>> Sounds like "users" (Domain Users?) have been granted the "logon
>> locally right" which is not by default. Because this sounds like
>> multiple servers it likely has been set in some group policy
>> setting. Check one of your servers to see if it has in fact been
>> set, then you'll need to track down where.
>>
>>>
>>>
>>> "Lanwench [MVP - Exchange]" wrote:
>>>
>>>> Jordy <Jordy@discussions.microsoft.com> wrote:
>>>>> Hello
>>>>>
>>>>> Is there a way to prevent users (not domain admins) from login
>>>>> into servers. We have an enviroment were the servers are
>>>>> accessable to end users
>>>>
>>>> You should have a locked cabinet or room, apart from everything
>>>> else. If you don't have physical security you don't have any
>>>> security at all.
>>>>
>>>>> and I need to prevent them from Login into the server directly,
>>>>
>>>> End users should not be able to log into your servers now, either
>>>> at the console or via RD (unless this is a terminal server). Are
>>>> they? If so, perhaps they're members of groups they shouldn't be -
>>>> or someone has been monkeying around with policies.
>>>>
>>>>> but still have access to file and print when they login to
>>>>> workstation.
>>>>>
>>>>> Thanks
>>
>> --
>> /kj

--
/kj

A 2x4 is being too gentle. "Tactical Nuclear Device" is what comes to
mind for me... ;-)

I'm *still* running into places 6 years later where "everyone" has
rights to certain resources. I change them to "Domain Users" at a minimum...

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

kj [SBS MVP] wrote:
> Jordy wrote:
>> Hello
>>
>> I looked at User rights, log on Locally. I have the group
>> Administrators, which I assume is a local group, in that local group,
>> I have pushed down Domain admins and Local Admins. Everyone is part
>> of the local Admins, which I assume explains the issue.
>>
>> No the golden question, how do I get around that ?
>
> "everyone" group is a member of Local Adminstrators? That would do it.
>
> Remove "Everyone" group from the "local adminstrators group " and track down
> who made that 'decision'. I know someone with a two by four you can borrow
> if needed.
>
>
>> Thanks
>>
>> "kj [SBS MVP]" wrote:
>>
>>> Jordy wrote:
>>>> Ya I understand about the locked down part, but at the moment, that
>>>> is not a solution. It will be in the future....
>>>>
>>>> But the end users still should not be able to login, and I don't
>>>> understand why. I have created a group policy that has restricted
>>>> groups in it to all all users to have local admin rights to there
>>>> PC's (I know, a bad idea, but needed at the moment).
>>>>
>>>> They are able to login to any server, these are not DC's...
>>>>
>>>> Thanks
>>> Sounds like "users" (Domain Users?) have been granted the "logon
>>> locally right" which is not by default. Because this sounds like
>>> multiple servers it likely has been set in some group policy
>>> setting. Check one of your servers to see if it has in fact been
>>> set, then you'll need to track down where.
>>>
>>>>
>>>> "Lanwench [MVP - Exchange]" wrote:
>>>>
>>>>> Jordy <Jordy@discussions.microsoft.com> wrote:
>>>>>> Hello
>>>>>>
>>>>>> Is there a way to prevent users (not domain admins) from login
>>>>>> into servers. We have an enviroment were the servers are
>>>>>> accessable to end users
>>>>> You should have a locked cabinet or room, apart from everything
>>>>> else. If you don't have physical security you don't have any
>>>>> security at all.
>>>>>
>>>>>> and I need to prevent them from Login into the server directly,
>>>>> End users should not be able to log into your servers now, either
>>>>> at the console or via RD (unless this is a terminal server). Are
>>>>> they? If so, perhaps they're members of groups they shouldn't be -
>>>>> or someone has been monkeying around with policies.
>>>>>
>>>>>> but still have access to file and print when they login to
>>>>>> workstation.
>>>>>>
>>>>>> Thanks
>>> --
>>> /kj
>
A 2x4 is being to gentle. Tactical Nuclear Device is what comes to mind
for me... ;-)

I'm still running into places 6 years later where "everyone" has rights
to resources. I change them to "Domain Users" at a minimum...

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services

Hank Arnold (MVP) wrote:
> A 2x4 is being too gentle. "Tactical Nuclear Device" is what comes to
> mind for me... ;-)

Quick and effective, but it's all over in a flash.

Excessive pain and suffering with the opportunity for multiple 'lessons' are
need here.

<g>

>
> I'm *still* running into places 6 years later where "everyone" has
> rights to certain resources. I change them to "Domain Users" at a
> minimum...
> --
>
> Regards,
> Hank Arnold
> Microsoft MVP
> Windows Server - Directory Services
>
> kj [SBS MVP] wrote:
>> Jordy wrote:
>>> Hello
>>>
>>> I looked at User rights, log on Locally. I have the group
>>> Administrators, which I assume is a local group, in that local
>>> group, I have pushed down Domain admins and Local Admins. Everyone
>>> is part of the local Admins, which I assume explains the issue.
>>>
>>> No the golden question, how do I get around that ?
>>
>> "everyone" group is a member of Local Adminstrators? That would do
>> it. Remove "Everyone" group from the "local adminstrators group " and
>> track down who made that 'decision'. I know someone with a two by
>> four you can borrow if needed.
>>
>>
>>> Thanks
>>>
>>> "kj [SBS MVP]" wrote:
>>>
>>>> Jordy wrote:
>>>>> Ya I understand about the locked down part, but at the moment,
>>>>> that is not a solution. It will be in the future....
>>>>>
>>>>> But the end users still should not be able to login, and I don't
>>>>> understand why. I have created a group policy that has restricted
>>>>> groups in it to all all users to have local admin rights to there
>>>>> PC's (I know, a bad idea, but needed at the moment).
>>>>>
>>>>> They are able to login to any server, these are not DC's...
>>>>>
>>>>> Thanks
>>>> Sounds like "users" (Domain Users?) have been granted the "logon
>>>> locally right" which is not by default. Because this sounds like
>>>> multiple servers it likely has been set in some group policy
>>>> setting. Check one of your servers to see if it has in fact been
>>>> set, then you'll need to track down where.
>>>>
>>>>>
>>>>> "Lanwench [MVP - Exchange]" wrote:
>>>>>
>>>>>> Jordy <Jordy@discussions.microsoft.com> wrote:
>>>>>>> Hello
>>>>>>>
>>>>>>> Is there a way to prevent users (not domain admins) from login
>>>>>>> into servers. We have an enviroment were the servers are
>>>>>>> accessable to end users
>>>>>> You should have a locked cabinet or room, apart from everything
>>>>>> else. If you don't have physical security you don't have any
>>>>>> security at all.
>>>>>>
>>>>>>> and I need to prevent them from Login into the server directly,
>>>>>> End users should not be able to log into your servers now, either
>>>>>> at the console or via RD (unless this is a terminal server). Are
>>>>>> they? If so, perhaps they're members of groups they shouldn't be
>>>>>> - or someone has been monkeying around with policies.
>>>>>>
>>>>>>> but still have access to file and print when they login to
>>>>>>> workstation.
>>>>>>>
>>>>>>> Thanks
>>>> --
>>>> /kj
>>
> A 2x4 is being to gentle. Tactical Nuclear Device is what comes to
> mind for me... ;-)
>
> I'm still running into places 6 years later where "everyone" has
> rights to resources. I change them to "Domain Users" at a minimum...

--
/kj