Server 2003 - how do I keep users from logging on?

[Professor Frink]

I'm still testing my 2003 setup, and I noticed that non-admins can log on. How can I stop that from happening? The "Administrators" group only contains the local administrator, plus the domain admins (which I control). As far as I can tell, all of the other group are clear, save for those odd entries that I probably shouldn't touch (like "NT Authority" in the users group).

Is there a way I can make it so that ONLY administrators can log on? That's because some of my offices are small, and the file server is in an open area amongst the desks and cubes (although the main office itself is secured). It sucks, but I have no choice there. So what can I do to make sure the server is locked down?

FYI -- after the installation is done, "Domain Users" is listed in the "Users" group. But I removed that...

[morellana]

Is it a DC or a member server?

[Don Juan]

Do not log off. Always press CTRL+ALT+DEL and then lock the computer. Only an admin can unlock it. We always do it like this.

[Professor Frink]

Is it a DC or a member server?

Nope, it's not a DC, just a member server.

@Don Juan:

I guess I could do it that way -- it's a decent workaround. But there isn't a way to tell the server not to let a non-admin logon?

[andrewpayne]

Click Start/Run and type 'gpedit.msc'

Under Local Computer Policy, explore to Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Deny Logon Locally and add 'Domain Users'

You might also consider placing users in a new group (DENY LOGON) and then add that group to Deny Logon Locally to make clearer to the other (and future) Doman Admins so there is no confusion

DO consider the implication of putting users in this Deny Logon Locally group and ensure that the Domain Admins are not also members of Domain Users ('deny' usually overides 'allow').

[tguy]

You could also do the same thing on a stand alone server that is not part of a domain.

Open the Local Security Policy from the Administrator's Tools menu

Open or expand Local Policies

Open or expand User Rights Assignment

Locate the setting for Deny log on locally

Add the user(s) or group(s) you want and save.

Good luck.

tguy

[Professor Frink]

andrewpayne:

I finally got around to trying this, and it worked great. And once I checked out those security policies, I realized that I don't even need to do the "deny". I went into "Allow log on locally" and removed every entry except for administrators. I then tried logging on as admins and non-admins, and it worked perfectly.

Thanks!