Cannot logon locally

I created an user account with a Domain Users permission only. I use this
account to logon into Windows 2003 Server. But it said I cannot logon
locally. I know that this account is not an administrative a/c and haven't
had a right.

Therefore, I use my administrative account and go to Active Directory Users
and Computers, then right click on my Domain name, edit the profile and
allow this account has a right to logon locally.

However, this account still cannot logon locally. Is there anyone knows why?

Hi Wilson,
Wilson Cheung wrote:
> I created an user account with a Domain Users permission only. I use
> this account to logon into Windows 2003 Server. But it said I cannot
> logon locally. I know that this account is not an administrative a/c
> and haven't had a right.
>
> Therefore, I use my administrative account and go to Active Directory
> Users and Computers, then right click on my Domain name, edit the
> profile and allow this account has a right to logon locally.
>
> However, this account still cannot logon locally. Is there anyone
> knows why?

what roles has this server? Is it a Domain controller or a member server?
In case it is a member server:
Start/Administrative Tools/Local Security Policy.
In Local Policies / User Rights Assignment check the point "Log on locally".
The user or a group where he is member should be granted the right here.

If it is a domain controller, you will have to alter the same in the Domain
Controller security policy (but due to security reasons a local login for
normal users to a domain controller is not recommended).

Best greetings from Germany
Olaf.

Thanks for your prompt reply. I will try this tomorrow in office. Thanks
again.
On the other hand, what is the different between: "Domain Controller
security policy" and "Group Policy"?

Thanks!

"Olaf Engelke [MVP Windows Server]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Wilson,
> Wilson Cheung wrote:
>> I created an user account with a Domain Users permission only. I use
>> this account to logon into Windows 2003 Server. But it said I cannot
>> logon locally. I know that this account is not an administrative a/c
>> and haven't had a right.
>>
>> Therefore, I use my administrative account and go to Active Directory
>> Users and Computers, then right click on my Domain name, edit the
>> profile and allow this account has a right to logon locally.
>>
>> However, this account still cannot logon locally. Is there anyone
>> knows why?
>
> what roles has this server? Is it a Domain controller or a member server?
> In case it is a member server:
> Start/Administrative Tools/Local Security Policy.
> In Local Policies / User Rights Assignment check the point "Log on
> locally". The user or a group where he is member should be granted the
> right here.
>
> If it is a domain controller, you will have to alter the same in the
> Domain Controller security policy (but due to security reasons a local
> login for normal users to a domain controller is not recommended).
>
> Best greetings from Germany
> Olaf.

Wilson Cheung wrote:
> Thanks for your prompt reply. I will try this tomorrow in office.
> Thanks again.
> On the other hand, what is the different between: "Domain Controller
> security policy" and "Group Policy"?
>

Domain controller security policies are "special" policy for domain
controller, instead you can link the GPO (Group Policy Object) to any OU
that you find in AD users and computer.
--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager

--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to (E-Mail Removed)
Thank you
--------------------------------------------------------------------

Olaf Engelke [MVP Windows Server] wrote:
> Hi Wilson,
> Wilson Cheung wrote:
>> I created an user account with a Domain Users permission only. I use
>> this account to logon into Windows 2003 Server. But it said I cannot
>> logon locally. I know that this account is not an administrative a/c
>> and haven't had a right.
>>
>> Therefore, I use my administrative account and go to Active Directory
>> Users and Computers, then right click on my Domain name, edit the
>> profile and allow this account has a right to logon locally.
>>
>> However, this account still cannot logon locally. Is there anyone
>> knows why?
>
> what roles has this server? Is it a Domain controller or a member
> server? In case it is a member server:
> Start/Administrative Tools/Local Security Policy.
> In Local Policies / User Rights Assignment check the point "Log on
> locally". The user or a group where he is member should be granted
> the right here.
> If it is a domain controller, you will have to alter the same in the
> Domain Controller security policy (but due to security reasons a
> local login for normal users to a domain controller is not
> recommended).

Sorry but I'm not agree with you.
Due to security reasons the System Administrator would have logon to server
with user with no administrative rights and to launch every program that he
wants by using the runas command. It's not?
It is also very important to rename the name of administrator so to create a
"false target".
What do u think about it?

Sorry for my english, I'm working on it ;-)


--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager

--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to (E-Mail Removed)
Thank you
--------------------------------------------------------------------

Hi Giuseppe,
Giuseppe Nacci wrote:
>> If it is a domain controller, you will have to alter the same in the
>> Domain Controller security policy (but due to security reasons a
>> local login for normal users to a domain controller is not
>> recommended).
>
> Sorry but I'm not agree with you.
> Due to security reasons the System Administrator would have logon to
> server with user with no administrative rights and to launch every
> program that he wants by using the runas command. It's not?

this is valid for a workstation, but makes no real sense on a server (in my
eyes). If you login to a server (maybe besides a Terminal Server) you almost
everytime want to do administrative tasks, which require adequate
permissions. So why go through the hassle in this place with runas? Could be
even more risky, because maybe if you catched a keylogger in the startup
group of the user profile, this could log your account data from the running
session, but not from the main login screen.

> It is also very important to rename the name of administrator so to
> create a "false target".
> What do u think about it?

A real hacker would work with the SID, while a changed name is enough to
counter script kiddies or wannabe hackers ...

> Sorry for my english, I'm working on it ;-)

I am pretty sure, my English sounds awfull from time to time as well for
native speakers. So as long as we can understand each other it's fine for
me.
Best greetings from Germany
Olaf

Olaf Engelke [MVP Windows Server] wrote:
> Hi Giuseppe,
> Giuseppe Nacci wrote:
>>> If it is a domain controller, you will have to alter the same in the
>>> Domain Controller security policy (but due to security reasons a
>>> local login for normal users to a domain controller is not
>>> recommended).
>>
>> Sorry but I'm not agree with you.
>> Due to security reasons the System Administrator would have logon to
>> server with user with no administrative rights and to launch every
>> program that he wants by using the runas command. It's not?
>
> this is valid for a workstation, but makes no real sense on a server
> (in my eyes). If you login to a server (maybe besides a Terminal
> Server) you almost everytime want to do administrative tasks, which
> require adequate permissions. So why go through the hassle in this
> place with runas? Could be even more risky, because maybe if you
> catched a keylogger in the startup group of the user profile, this
> could log your account data from the running session, but not from
> the main login screen.

If there is a keylogger on server someone has put it. It means that the
security in a company is very easy to elude and that the server already has
been "penetrated".

>> It is also very important to rename the name of administrator so to
>> create a "false target".
>> What do u think about it?
>
> A real hacker would work with the SID, while a changed name is enough
> to counter script kiddies or wannabe hackers ...

Yes I agree with you but you can avoid "brute force" attack, and the first
test are on administrator name or similar. Don't forget also about internal
attack in a big company..............

Thanks for your reply to be confronted is important
--
---
Giuseppe Nacci
Microsoft Certified System Engineer
Security Manager

--------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to (E-Mail Removed)
Thank you
--------------------------------------------------------------------