Allow local DC logon to users

#1 05-05-2009

Good Morning

don't know if is possible.
I want to allow users to login on the DC via ssh. i need to allow local
login.
I don't want users to login at the DC console. deny interactive logon.

will you please correct me if i'm wrong ??
and point me at the right direction ??

thank you
pleite

#2 05-05-2009

Not sure how you would do that, but even if you could, you should NEVER
allow anyone other than a domain admin access to your dc. Granting access
via another route doesn't really provide any true protection. Find another
machine to grant what it is your users need access to.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Pedro M. Leite" <pleite@cimbo.com> wrote in message
news:e8RjJ8WzJHA.4116@TK2MSFTNGP04.phx.gbl...
> Good Morning
>
> don't know if is possible.
> I want to allow users to login on the DC via ssh. i need to allow local
> login.
> I don't want users to login at the DC console. deny interactive logon.
>
> will you please correct me if i'm wrong ??
> and point me at the right direction ??
>
> thank you
> pleite

#3 05-05-2009

Good Afternoon

I totally agree. confinement would be the next step.
anyway, and for testing purposes, am i going the right way ??

thank you
pleite

On Tue, 05 May 2009 07:15:51 -0500, Paul Bergson [MVP-DS] wrote:

> Not sure how you would do that, but even if you could, you should NEVER
> allow anyone other than a domain admin access to your dc. Granting
> access via another route doesn't really provide any true protection.
> Find another machine to grant what it is your users need access to.

#4 05-05-2009

Keeping off of the DC is the only way, anything else is prone to possible
attack and failure of any type of security audit.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Pedro M. Leite" <pleite@cimbo.com> wrote in message
news:%23KVJyxXzJHA.1372@TK2MSFTNGP05.phx.gbl...
> Good Afternoon
>
> I totally agree. confinement would be the next step.
> anyway, and for testing purposes, am i going the right way ??
>
> thank you
> pleite
>
>
> On Tue, 05 May 2009 07:15:51 -0500, Paul Bergson [MVP-DS] wrote:
>
>> Not sure how you would do that, but even if you could, you should NEVER
>> allow anyone other than a domain admin access to your dc. Granting
>> access via another route doesn't really provide any true protection.
>> Find another machine to grant what it is your users need access to.
>

#5 05-05-2009

thank you

pleite
On Tue, 05 May 2009 07:42:20 -0500, Paul Bergson [MVP-DS] wrote:

> Keeping off of the DC is the only way, anything else is prone to
> possible attack and failure of any type of security audit.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads for: "Allow local DC logon to users"
Thread	Thread Starter	Forum	Replies	Last Post
Logon issues when local DC goes down	Sams2	Active Directory	13	22-02-2010 06:59 PM
List of users logon to AD	spmx43	Active Directory	4	20-06-2009 07:21 PM
users is empty in Local users and groups snap-in	Bill Zhou	Windows Security	6	02-02-2009 10:28 PM
users' last-logon-timestamp	John	Active Directory	10	06-06-2008 10:02 PM
Help Run Dll C:\Users\ Users name\AppData\local\temp\axdeqxgo.dll	Tyberious25	Vista Help	1	29-04-2008 03:31 AM

Allow local DC logon to users

Active Directory