Log on locally

  • Thread starter Thread starter Ray
  • Start date Start date
R

Ray

Hi there,

I don't know whether users are allowed to log on DC locally. I created some
users on DC and do add those users in "Log on locally" of "Local Security
Policy Setting", but those users still cannot log on DC. I remembered it's
allowed in Windows NT 4, but now it's unsuccessful on Windows 2000. In the
dialog of "Log on locally", "Local Policy Setting" has been checked on lines
of those users, but "Effective Policy Setting" has not been checked (I've
waited for a long time and restarted the DC several times).

Can anyone help me explain this question? Thank you so much for your help.

Ray
 
There are 2 GPO links on a W2K domain by default. One is the domain GPO
which enforces security over the whole domain. Another is the Domain
controller GPO. The sites container has no GPO defined by default.

To access the first 2 without using the administrative tools folder, Locate
the 2 containers in AD Users and Computers, right-click + properties, last
tab. Highlight GPO and edit.

The local security policy on a DC is overriden by the DC container's GPO,
with good reason. While you can consult local security settings to verify
security results, a DC requires a more restrictive security than a member
server.

Giving domain users local login rights at DC is not a good idea. If you
decide to do that route regardless of the warnings, i'ld suggest making sure
users log off DC in order not to expose an inviting DC desktop and you'll
want to test your AD database recovery procedure. Note that users may still
log into a DC remotely using an appropriately configured MMC console (no
local logon rights required).
 
Thank you for your reminder, I just want to let users print something out
locally on DC. I'll notice that. Now I know I was using "Default Domain
Policy" rather than "Domain Controller Security Policy". I'll try to figure
out their difference. Anyway, thank you very much.

Ray
 
Back
Top