Domain Users

I am a Windows XP Pro computer (workstation) on a Windows NT Domain. How do
I go about configuring my computer so that nobody else can log onto my PC?
It seems that anyone who can authenticate to the domain can use my PC. I
see this as a security problem since anyone of the company's users can walk
into my office, log onto my PC and start poking around.

I have removed everybody from the local Admin group except for myself so it
appears as though they are all in the Users group.

Does this have something to do with the NT AUTHORITY\Authenticated Users or
NT AUTHORITY\INTERACTIVE settings I see in the list of members in the Users
group?

John wrote:
I am a Windows XP Pro computer (workstation) on a Windows NT Domain.
How do I go about configuring my computer so that nobody else can log
onto my PC? It seems that anyone who can authenticate to the domain
can use my PC. I see this as a security problem since anyone of the
company's users can walk into my office, log onto my PC and start
poking around.

I have removed everybody from the local Admin group except for myself
so it appears as though they are all in the Users group.

Does this have something to do with the NT AUTHORITY\Authenticated
Users or NT AUTHORITY\INTERACTIVE settings I see in the list of
members in the Users group?

i) with all due respect isn't this a decision for the network administrator
to make?
ii) by using NTFS permissions you can lock people out of folders you don't
want them to access.
iii) I'd personally look at the "log on locally" setting in Local Security
Settings, if i really wanted to persue this.


--
--
Rob Moir
Microsoft MVP for Windows / Security
www.robertmoir.co.uk

Greetings --

Is the computer your personal property, or does it belong to your
employer? Consult your IT department about any security concerns you
might have, and the Human Resources department to learn about your
employer's acceptable use policy, or equivalent.

And doesn't your office have a door with a lock?

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
----
You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH


"John" wrote in message
...
I am a Windows XP Pro computer (workstation) on a Windows NT Domain.
How do
I go about configuring my computer so that nobody else can log onto
my PC?
It seems that anyone who can authenticate to the domain can use my
PC. I
see this as a security problem since anyone of the company's users
can walk
into my office, log onto my PC and start poking around.

I have removed everybody from the local Admin group except for
myself so it
appears as though they are all in the Users group.

Does this have something to do with the NT AUTHORITY\Authenticated
Users or
NT AUTHORITY\INTERACTIVE settings I see in the list of members in
the Users
group?

Other than business ethics, technically yes, this has=20
everything to do with the two member entries in the=20
Users group that you mentioned.
Until these are removed from Users, the local security=20
policy to Allow Local Logon has no effect in limiting=20
which domain user accounts may log in locally. When=20
you remove these two from Users, if you do, make very=20
sure you have granted local login to the account that=20
should have access (this can be done by making those=20
accounts members of Users). I assume that you have=20
already removed Domain Users from Users.

--=20
Roger Abell
MS MVP (Security, Windows), MCDBA, MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone

"John" wrote in message =
...
I am a Windows XP Pro computer (workstation) on a Windows NT Domain. =
How do
I go about configuring my computer so that nobody else can log onto my =
PC?
It seems that anyone who can authenticate to the domain can use my PC. =
I
see this as a security problem since anyone of the company's users can =
walk
into my office, log onto my PC and start poking around.
=20
I have removed everybody from the local Admin group except for myself =
so it
appears as though they are all in the Users group.
=20
Does this have something to do with the NT AUTHORITY\Authenticated =
Users or
NT AUTHORITY\INTERACTIVE settings I see in the list of members in the =
Users
group?
=20
=20

Thanks to all who replied. I am investigating this at the suggestion of one
of the network admins. From the tone of your messages it sounds like this
is something that should never be done. I find it difficult to believe that
people such as executives don't want their computers made inaccessible by
all employees in the company except for a select few. I see that each
user's my documents folder is set so only that user can access the documents
(with NTFS). As long as the executive is placing his or her files in that
folder I guess they are OK. We have always made Domain Admins local admins
on each machine too. Its just the average user walking by and logging in
that is a concern.

Oh, and we typically don't lock office doors around here.




"Roger Abell [MVP]"
Other than business ethics, technically yes, this has
everything to do with the two member entries in the
Users group that you mentioned.
Until these are removed from Users, the local security
policy to Allow Local Logon has no effect in limiting
which domain user accounts may log in locally. When
you remove these two from Users, if you do, make very
sure you have granted local login to the account that
should have access (this can be done by making those
accounts members of Users). I assume that you have
already removed Domain Users from Users.

Actually, this is something that does very often need to=20
be done, and this is not new with XP but is so with W2k.
If you want to control what accounts can log into a=20
member machine, then you must remove all three
Domain Users=20
INTERACTIVE
Authenticated Users=20
from membership in the local Users group.
For XP this will break local Guest login, and if some=20
features, like IIS, are installed, then their underlying=20
accounts may need to be manually added to Users.

The alternative to the above is to leave Users as defined=20
and remove it from the login rights policies, replacing=20
this with a custom group granted local login. Again,=20
you need to make sure certain service accounts, and if=20
to be allowed local login the Guest account, are within=20
this custom group.

--=20
Roger Abell
MS MVP (Security, Windows), MCDBA, MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone

"John" wrote in message =
...
Thanks to all who replied. I am investigating this at the suggestion =
of one
of the network admins. From the tone of your messages it sounds like =
this
is something that should never be done. I find it difficult to =
believe that
people such as executives don't want their computers made inaccessible =
by
all employees in the company except for a select few. I see that each
user's my documents folder is set so only that user can access the =
documents
(with NTFS). As long as the executive is placing his or her files in =
that
folder I guess they are OK. We have always made Domain Admins local =
admins
on each machine too. Its just the average user walking by and logging =
in
that is a concern.
=20
Oh, and we typically don't lock office doors around here.
=20
=20
=20
=20
"Roger Abell [MVP]"
Other than business ethics, technically yes, this has
everything to do with the two member entries in the
Users group that you mentioned.
Until these are removed from Users, the local security
policy to Allow Local Logon has no effect in limiting
which domain user accounts may log in locally. When
you remove these two from Users, if you do, make very
sure you have granted local login to the account that
should have access (this can be done by making those
accounts members of Users). I assume that you have
already removed Domain Users from Users.
=20
=20