Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Windows Server General Help » 2003: Local User Group and Domain Users
2003: Local User Group and Domain Users [message #164040] Fri, 12 June 2009 12:07 Go to next message
JimLad  is currently offline JimLad  United Kingdom
Messages: 64
Registered: July 2009
Member
Hi,

Sorry! This is a very basic question on S2003. Apologies in advance.

I was wondering why more users than I intended had access to a share I
created. I set the share permissions to everyone full access, but I
thought the ntfs permissions were quite restrictive.

Turns out I was wrong: I had seen that local users group had read
access, but hadn't really thought much about it as I thought there
wouldn't be many local users, cos it was a web server only requiring a
few administrators like me to log on. Turns out every authenticated
user on the domain is in the local user group on the web server.

Now my infrastructure guys tell me this is completely normal and
nothing to worry about, and also the default setup. Can someone
confirm this and explain what local user group is for? I obviously
have got wrong, but I thought it was for people who will be logging
onto the server in question... not joe bloggs in the account
department who probably doesn't need to have any permissions on the
server - at most might need access to one share.

Cheers,

James
Re: Local User Group and Domain Users [message #164041 is a reply to message #164040] Fri, 12 June 2009 13:59 Go to previous messageGo to next message
Marcin  is currently offline Marcin
Messages: 273
Registered: July 2009
Senior Member
James,
when a computer account is added to the domain, Domain Users group are
automatically added ot local Users group - so yes, the behavior you
described is expected. For overview of local groups and their purpose, refer
to http://technet.microsoft.com/en-us/library/cc785020(WS.10).aspx
When permissioning access to resources, use domain local groups, which
membership you can manage in a more controlled manner...

hth
Marcin

"JimLad" <jamesdbirch@yahoo.co.uk> wrote in message
news:ed093501-1126-4a21-a302-f9ecb9feabd0@y9g2000yqg.googlegroups.com...
> Hi,
>
> Sorry! This is a very basic question on S2003. Apologies in advance.
>
> I was wondering why more users than I intended had access to a share I
> created. I set the share permissions to everyone full access, but I
> thought the ntfs permissions were quite restrictive.
>
> Turns out I was wrong: I had seen that local users group had read
> access, but hadn't really thought much about it as I thought there
> wouldn't be many local users, cos it was a web server only requiring a
> few administrators like me to log on. Turns out every authenticated
> user on the domain is in the local user group on the web server.
>
> Now my infrastructure guys tell me this is completely normal and
> nothing to worry about, and also the default setup. Can someone
> confirm this and explain what local user group is for? I obviously
> have got wrong, but I thought it was for people who will be logging
> onto the server in question... not joe bloggs in the account
> department who probably doesn't need to have any permissions on the
> server - at most might need access to one share.
>
> Cheers,
>
> James
Re: Local User Group and Domain Users [message #164375 is a reply to message #164041] Mon, 22 June 2009 05:27 Go to previous message
JimLad  is currently offline JimLad  United Kingdom
Messages: 64
Registered: July 2009
Member
On Jun 12, 6:59 pm, "Marcin" <mar...@community.nospam> wrote:
> James,
> when a computer account is added to the domain, Domain Users group are
> automatically added ot local Users group - so yes, the behavior you
> described is expected. For overview of local groups and their purpose, refer
> tohttp://technet.microsoft.com/en-us/library/cc785020(WS.10).aspx
> When permissioning access to resources, use domain local groups, which
> membership you can manage in a more controlled manner...
>
> hth
> Marcin
>
> "JimLad" <jamesdbi...@yahoo.co.uk> wrote in message
>
> news:ed093501-1126-4a21-a302-f9ecb9feabd0@y9g2000yqg.googlegroups.com...
>
>
>
> > Hi,
>
> > Sorry! This is a very basic question on S2003. Apologies in advance.
>
> > I was wondering why more users than I intended had access to a share I
> > created. I set the share permissions to everyone full access, but I
> > thought the ntfs permissions were quite restrictive.
>
> > Turns out I was wrong: I had seen that local users group had read
> > access, but hadn't really thought much about it as I thought there
> > wouldn't be many local users, cos it was a web server only requiring a
> > few administrators like me to log on. Turns out every authenticated
> > user on the domain is in the local user group on the web server.
>
> > Now my infrastructure guys tell me this is completely normal and
> > nothing to worry about, and also the default setup. Can someone
> > confirm this and explain what local user group is for? I obviously
> > have got wrong, but I thought it was for people who will be logging
> > onto the server in question... not joe bloggs in the account
> > department who probably doesn't need to have any permissions on the
> > server - at most might need access to one share.
>
> > Cheers,
>
> > James- Hide quoted text -
>
> - Show quoted text -

Hi Marcin,

Thanks for the confirmation. This still seems like an utterly
ridiculous default to me. From a least privileges point of view if
nothing else. Why would all authenticated users on the domain need any
logon permissions on any kind of server? It doesn't make any sense -
servers are generally for admins only. It only makes sense on
workstations and even then only if you want to allow pc sharing.

In other words - is there something else going on here? Why wouldn't
the first thing you do on a server be to remove these permissions?

James
Previous Topic:Netware vmware VM to Hyper-V conversion
Next Topic:Re: Help! Applying the computer settings
Goto Forum:
  


Current Time: Sat Aug 19 05:16:12 EDT 2017

Total time taken to generate the page: 0.03429 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software