Allow logon locally domain controller windows 2008

Can it be done? Office Office Exchange Server. Not an IT pro? Windows Server TechCenter. Sign in. United States English. Ask a question. Quick access. Search related threads. Remove From My Forums.

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. Any account with the Allow log on locally user right can log on to the console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges.

For domain controllers, assign the Allow log on locally user right only to the Administrators group. For other server roles, you may choose to add Backup Operators in addition to Administrators.

For end-user computers, you should also assign this right to the Users group. Alternatively, you can assign groups such as Account Operators, Server Operators, and Guests to the Deny log on locally user right.

If you remove these default groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. If you have installed optional components such as ASP. DSRM password is specified in the process of deploying promoting a member server to a domain controller. On Windows Server SP2 or higher , there is another way to set up the password for DSRM-admin — by copying synchronizing password with the domain account.

To sync you can choose any existing user or create the new one. Right, this works too. If the account is a domain admin, they're already in the correct group. The Domain Admins group is a member of the domain builtin group Administrators, which is granted the "allow logon locally" user right. He didn't specify.. Right, I was responding to your answer. I may have misunderstood what you meant. I thought you were saying that if the account is a Domain Admin member of the domain admins group that the OP should then add the user to the correct group and my comment was that any member of the Domain Admins group is by virtue of nested membership also a member of the domain builtin group Administrators, which has the allow logon locally user right on domain controllers.

By "Correct security group" I was referring to Domain Admin, apologies if that wasn't clear. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password.