If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Domain Users
I am a Windows XP Pro computer (workstation) on a Windows NT Domain. How do
I go about configuring my computer so that nobody else can log onto my PC? It seems that anyone who can authenticate to the domain can use my PC. I see this as a security problem since anyone of the company's users can walk into my office, log onto my PC and start poking around. I have removed everybody from the local Admin group except for myself so it appears as though they are all in the Users group. Does this have something to do with the NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE settings I see in the list of members in the Users group? |
Ads |
#2
|
|||
|
|||
Domain Users
John wrote:
I am a Windows XP Pro computer (workstation) on a Windows NT Domain. How do I go about configuring my computer so that nobody else can log onto my PC? It seems that anyone who can authenticate to the domain can use my PC. I see this as a security problem since anyone of the company's users can walk into my office, log onto my PC and start poking around. I have removed everybody from the local Admin group except for myself so it appears as though they are all in the Users group. Does this have something to do with the NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE settings I see in the list of members in the Users group? i) with all due respect isn't this a decision for the network administrator to make? ii) by using NTFS permissions you can lock people out of folders you don't want them to access. iii) I'd personally look at the "log on locally" setting in Local Security Settings, if i really wanted to persue this. -- -- Rob Moir Microsoft MVP for Windows / Security www.robertmoir.co.uk |
#3
|
|||
|
|||
Domain Users
Greetings --
Is the computer your personal property, or does it belong to your employer? Consult your IT department about any security concerns you might have, and the Human Resources department to learn about your employer's acceptable use policy, or equivalent. And doesn't your office have a door with a lock? Bruce Chambers Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html ---- You can have peace. Or you can have freedom. Don't ever count on having both at once. -- RAH "John" wrote in message ... I am a Windows XP Pro computer (workstation) on a Windows NT Domain. How do I go about configuring my computer so that nobody else can log onto my PC? It seems that anyone who can authenticate to the domain can use my PC. I see this as a security problem since anyone of the company's users can walk into my office, log onto my PC and start poking around. I have removed everybody from the local Admin group except for myself so it appears as though they are all in the Users group. Does this have something to do with the NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE settings I see in the list of members in the Users group? |
#4
|
|||
|
|||
Domain Users
Other than business ethics, technically yes, this has=20
everything to do with the two member entries in the=20 Users group that you mentioned. Until these are removed from Users, the local security=20 policy to Allow Local Logon has no effect in limiting=20 which domain user accounts may log in locally. When=20 you remove these two from Users, if you do, make very=20 sure you have granted local login to the account that=20 should have access (this can be done by making those=20 accounts members of Users). I assume that you have=20 already removed Domain Users from Users. --=20 Roger Abell MS MVP (Security, Windows), MCDBA, MCSE both Associate Expert - Windows XP ExpertZone http://www.microsoft.com/windowsxp/expertzone "John" wrote in message = ... I am a Windows XP Pro computer (workstation) on a Windows NT Domain. = How do I go about configuring my computer so that nobody else can log onto my = PC? It seems that anyone who can authenticate to the domain can use my PC. = I see this as a security problem since anyone of the company's users can = walk into my office, log onto my PC and start poking around. =20 I have removed everybody from the local Admin group except for myself = so it appears as though they are all in the Users group. =20 Does this have something to do with the NT AUTHORITY\Authenticated = Users or NT AUTHORITY\INTERACTIVE settings I see in the list of members in the = Users group? =20 =20 |
#5
|
|||
|
|||
Domain Users
Thanks to all who replied. I am investigating this at the suggestion of one
of the network admins. From the tone of your messages it sounds like this is something that should never be done. I find it difficult to believe that people such as executives don't want their computers made inaccessible by all employees in the company except for a select few. I see that each user's my documents folder is set so only that user can access the documents (with NTFS). As long as the executive is placing his or her files in that folder I guess they are OK. We have always made Domain Admins local admins on each machine too. Its just the average user walking by and logging in that is a concern. Oh, and we typically don't lock office doors around here. "Roger Abell [MVP]" Other than business ethics, technically yes, this has everything to do with the two member entries in the Users group that you mentioned. Until these are removed from Users, the local security policy to Allow Local Logon has no effect in limiting which domain user accounts may log in locally. When you remove these two from Users, if you do, make very sure you have granted local login to the account that should have access (this can be done by making those accounts members of Users). I assume that you have already removed Domain Users from Users. |
#6
|
|||
|
|||
Domain Users
Actually, this is something that does very often need to=20
be done, and this is not new with XP but is so with W2k. If you want to control what accounts can log into a=20 member machine, then you must remove all three Domain Users=20 INTERACTIVE Authenticated Users=20 from membership in the local Users group. For XP this will break local Guest login, and if some=20 features, like IIS, are installed, then their underlying=20 accounts may need to be manually added to Users. The alternative to the above is to leave Users as defined=20 and remove it from the login rights policies, replacing=20 this with a custom group granted local login. Again,=20 you need to make sure certain service accounts, and if=20 to be allowed local login the Guest account, are within=20 this custom group. --=20 Roger Abell MS MVP (Security, Windows), MCDBA, MCSE both Associate Expert - Windows XP ExpertZone http://www.microsoft.com/windowsxp/expertzone "John" wrote in message = ... Thanks to all who replied. I am investigating this at the suggestion = of one of the network admins. From the tone of your messages it sounds like = this is something that should never be done. I find it difficult to = believe that people such as executives don't want their computers made inaccessible = by all employees in the company except for a select few. I see that each user's my documents folder is set so only that user can access the = documents (with NTFS). As long as the executive is placing his or her files in = that folder I guess they are OK. We have always made Domain Admins local = admins on each machine too. Its just the average user walking by and logging = in that is a concern. =20 Oh, and we typically don't lock office doors around here. =20 =20 =20 =20 "Roger Abell [MVP]" Other than business ethics, technically yes, this has everything to do with the two member entries in the Users group that you mentioned. Until these are removed from Users, the local security policy to Allow Local Logon has no effect in limiting which domain user accounts may log in locally. When you remove these two from Users, if you do, make very sure you have granted local login to the account that should have access (this can be done by making those accounts members of Users). I assume that you have already removed Domain Users from Users. =20 =20 |
Thread Tools | |
Display Modes | |
|
|