Professor Frink Posted October 27, 2004 Share Posted October 27, 2004 I'm still testing my 2003 setup, and I noticed that non-admins can log on. How can I stop that from happening? The "Administrators" group only contains the local administrator, plus the domain admins (which I control). As far as I can tell, all of the other group are clear, save for those odd entries that I probably shouldn't touch (like "NT Authority" in the users group).Is there a way I can make it so that ONLY administrators can log on? That's because some of my offices are small, and the file server is in an open area amongst the desks and cubes (although the main office itself is secured). It sucks, but I have no choice there. So what can I do to make sure the server is locked down?FYI -- after the installation is done, "Domain Users" is listed in the "Users" group. But I removed that... Link to comment Share on other sites More sharing options...
morellana Posted October 27, 2004 Share Posted October 27, 2004 Is it a DC or a member server? Link to comment Share on other sites More sharing options...
Don Juan Posted October 28, 2004 Share Posted October 28, 2004 Do not log off. Always press CTRL+ALT+DEL and then lock the computer. Only an admin can unlock it. We always do it like this. Link to comment Share on other sites More sharing options...
Professor Frink Posted October 28, 2004 Author Share Posted October 28, 2004 Is it a DC or a member server?Nope, it's not a DC, just a member server.@Don Juan:I guess I could do it that way -- it's a decent workaround. But there isn't a way to tell the server not to let a non-admin logon? Link to comment Share on other sites More sharing options...
andrewpayne Posted October 28, 2004 Share Posted October 28, 2004 Click Start/Run and type 'gpedit.msc'Under Local Computer Policy, explore to Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignment - Deny Logon Locally and add 'Domain Users'You might also consider placing users in a new group (DENY LOGON) and then add that group to Deny Logon Locally to make clearer to the other (and future) Doman Admins so there is no confusion DO consider the implication of putting users in this Deny Logon Locally group and ensure that the Domain Admins are not also members of Domain Users ('deny' usually overides 'allow'). Link to comment Share on other sites More sharing options...
tguy Posted October 29, 2004 Share Posted October 29, 2004 You could also do the same thing on a stand alone server that is not part of a domain.Open the Local Security Policy from the Administrator's Tools menuOpen or expand Local PoliciesOpen or expand User Rights AssignmentLocate the setting for Deny log on locallyAdd the user(s) or group(s) you want and save.Good luck.tguy Link to comment Share on other sites More sharing options...
Professor Frink Posted December 13, 2004 Author Share Posted December 13, 2004 andrewpayne:I finally got around to trying this, and it worked great. And once I checked out those security policies, I realized that I don't even need to do the "deny". I went into "Allow log on locally" and removed every entry except for administrators. I then tried logging on as admins and non-admins, and it worked perfectly.Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now