*****CONFIDENTIALITY NOTICE***** This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. **********************************
Hi Mark, If they are using terminal services, you might also check the Terminal Services Configuration RDP-Tcp permissions. I believe by default it is only Administrator and System that have access. JJ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 7:50 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller Hi Mark In the default domain controller group policy check the allow logon local / allow logon terminal (are they accessing the box using the local console or via remote desktop?). Also check the deny logon local and deny logon terminal. Those four settings should override anything that is set elsewhere in GPO or local settings. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |---------+----------------------------------> | | "Abbiss, Mark" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 09/14/2004 04:22 PM ZE2| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >----------------------------------------------------------------------- -------------------------------------------------------| | | | To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Logging on to a Domain Controller | >----------------------------------------------------------------------- -------------------------------------------------------| Okay, as you were so helpful as to provide your reason for asking, so will I. We have two groups of administrators in our setup. There is Group 1, who can actually log on and make the necessary changes and there is Group 2, who should be able to log on and be able to "look around", check running processes, check settings, etc, but have no ability to start installing/removing software or making other system changes. So I would like to be able to grant this second level of administrators the ability to log on to a domain controller but so far I have not been able to do it. I have followed various instructions but all to no avail. The message I see is saying "You do not have access to log on to this session". So if anyone can suggest a way to allow me to set up a group with the ability to log on to DC's with a restricted set of rights, Iwould be eternally grateful. Many thanks in advance. Mark -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 14. September 2004 15:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -----Original Message----- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Because? -ASB ----- Original Message ----- From: Abbiss, Mark <[EMAIL PROTECTED]> Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the "Domain Controllers " OU which sets the "Computer configuration -> windows settings -> security settings -> local policies -> user rights assignment " to give this group "Log on locally" rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the "Log on locally" right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
