Local Users Group - Safefly removing users ?



Ariel
07-09-2005, 10:51 PM
Hello,

Could someone please tell me, what, if any, are the ramifications of
removing the following users\groups from my local users group on my Win2K and
Win2K3 servers:

This would be for a mix of app and file servers.

Active_Directory_Name\Domain Users
NT Authority\Authenticated Users
NT Authority\INTERACTIVE

My intent is to deny log on locally privs. I know I can simply remove the
users group from the log on local security policy, but why not take it a step
further and simply remove these domain groups from the local users group?

Any input is much appreciated.

Roger Abell
07-09-2005, 10:52 PM
You may use the membership of the Users group to control
what accounts are able to log into the member machine.
This happens in two ways. One, you noted, is due to the
User Rights granted to Users groups, such as the local logon
right. The other is due to NTFS, registry, etc. grants to the
Users groups, without which a local login fails.

You may also control access to the system by removing Users
from the user rights grants, replacing with only the principals
that should have those (local or network) access.

When both are used one has layered contol definitions so that
both mechanisms are effective in limiting access.

INTERACTIVE being a member of Users states that any account
that can log in will have the grants given to the Users group.
Authenticated Users being in Users states that any account that is
required to and successfully does authenticate is a Users member.
With these present, Domain Users being in Users is redundant.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Ariel" <Ariel@discussions.microsoft.com> wrote in message
news:E9F251D1-54D6-4D73-BE0F-A7D96EAAEDAD@microsoft.com...
> Hello,
>
> Could someone please tell me, what, if any, are the ramifications of
> removing the following users\groups from my local users group on my Win2K
and
> Win2K3 servers:
>
> This would be for a mix of app and file servers.
>
> Active_Directory_Name\Domain Users
> NT Authority\Authenticated Users
> NT Authority\INTERACTIVE
>
> My intent is to deny log on locally privs. I know I can simply remove the
> users group from the log on local security policy, but why not take it a
step
> further and simply remove these domain groups from the local users group?
>
> Any input is much appreciated.
>
>
>

techguy
07-09-2005, 10:52 PM
You might not be able to remove some of them since they are built-in
groups and anyway they will not cause any harm to you.....so whats the
point


--
techguy
------------------------------------------------------------------------
techguy's Profile: http://forums.techarena.in/member.php?userid=6552
View this thread: http://forums.techarena.in/showthread.php?t=153512
Visit - http://forums.techarena.in/archive/index.php/ | http://www.officehelp.in/index/index.php

Ariel
07-09-2005, 10:52 PM
Roger,

Thanks very much for the detailed response. I'm not sure I understand all
of what you say, so I'd like to boil this down.

Will I cause any issue\problems by removing:

> > Active_Directory_Name\Domain Users
> > NT Authority\Authenticated Users
> > NT Authority\INTERACTIVE

From my local users group (y\n)?

Does this accomplish denying local login (y\n) while also restricting the
default NTFS perms on the c:\ drive (local users by default have read &
execute, list and read on the c: drive outside of Documents and Settings)
(y\n). This is partially why I hesitate... why, for example, does the local
Users group need those NTFS perms for c:\windows?

If you would be so kind as to answer the y\n questions, I'd really, really
appreciate that. Any additional comments would also be great.

Thanks again!

"Roger Abell" wrote:

> You may use the membership of the Users group to control
> what accounts are able to log into the member machine.
> This happens in two ways. One, you noted, is due to the
> User Rights granted to Users groups, such as the local logon
> right. The other is due to NTFS, registry, etc. grants to the
> Users groups, without which a local login fails.
>
> You may also control access to the system by removing Users
> from the user rights grants, replacing with only the principals
> that should have those (local or network) access.
>
> When both are used one has layered contol definitions so that
> both mechanisms are effective in limiting access.
>
> INTERACTIVE being a member of Users states that any account
> that can log in will have the grants given to the Users group.
> Authenticated Users being in Users states that any account that is
> required to and successfully does authenticate is a Users member.
> With these present, Domain Users being in Users is redundant.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Ariel" <Ariel@discussions.microsoft.com> wrote in message
> news:E9F251D1-54D6-4D73-BE0F-A7D96EAAEDAD@microsoft.com...
> > Hello,
> >
> > Could someone please tell me, what, if any, are the ramifications of
> > removing the following users\groups from my local users group on my Win2K
> and
> > Win2K3 servers:
> >
> > This would be for a mix of app and file servers.
> >
> > Active_Directory_Name\Domain Users
> > NT Authority\Authenticated Users
> > NT Authority\INTERACTIVE
> >
> > My intent is to deny log on locally privs. I know I can simply remove the
> > users group from the log on local security policy, but why not take it a
> step
> > further and simply remove these domain groups from the local users group?
> >
> > Any input is much appreciated.
> >
> >
> >
>
>
>

Roger Abell
07-09-2005, 10:52 PM
remove meant remove from Users group membership, or from
the User Rights, not undefined and remove from the system
which as you note cannot be done with predefineds.

--
Roger
"techguy" <techguy.1pbeba@DoNotSpam.com> wrote in message
news:techguy.1pbeba@DoNotSpam.com...
>
> You might not be able to remove some of them since they are built-in
> groups and anyway they will not cause any harm to you.....so whats the
> point
>
>
> --
> techguy
> ------------------------------------------------------------------------
> techguy's Profile: http://forums.techarena.in/member.php?userid=6552
> View this thread: http://forums.techarena.in/showthread.php?t=153512
> Visit - http://forums.techarena.in/archive/index.php/ |
http://www.officehelp.in/index/index.php
>

Roger Abell
07-09-2005, 10:52 PM
inlined . . .

"Ariel" <Ariel@discussions.microsoft.com> wrote in message
news:023C7152-3120-44E6-BD0F-09E3B3B1FA03@microsoft.com...
> Roger,
>
> Thanks very much for the detailed response. I'm not sure I understand all
> of what you say, so I'd like to boil this down.
>
> Will I cause any issue\problems by removing:
>
> > > Active_Directory_Name\Domain Users
> > > NT Authority\Authenticated Users
> > > NT Authority\INTERACTIVE
>
> From my local users group (y\n)?
>
Depends on what you want to use the machine for, and on
what remains in the Users group.
For example, if only locally defined non-guest accounts
should be able to log in, and those accounts are in Users,
then removing those three is required to make it be as it
should if Users is left in the login user rights.

> Does this accomplish denying local login (y\n)
no. Denying local login is done with the Deny login locally user right.
This would however stop granting Logon locally to those accounts no
longer included in Users (again, leaving Users in the Logon locally ur)

> while also restricting the
> default NTFS perms on the c:\ drive (local users by default have read &
> execute, list and read on the c: drive outside of Documents and Settings)
> (y\n).
Users group continues to have all grants made to Users group, but
just what accounts that means is changed.

> This is partially why I hesitate... why, for example, does the local
> Users group need those NTFS perms for c:\windows?
>
There are a number of executables and their support files that are
needed to login, to present the desktop, to perform various other
functions, etc..

> If you would be so kind as to answer the y\n questions, I'd really,
really
> appreciate that. Any additional comments would also be great.
>
> Thanks again!
>
As you may notice, it is all situational on what that member machine
should be allowing.
Notice that I have a few times qualified with "member" by which I have
been indicating that nothing discussed in this thread is for DCs.

> "Roger Abell" wrote:
>
> > You may use the membership of the Users group to control
> > what accounts are able to log into the member machine.
> > This happens in two ways. One, you noted, is due to the
> > User Rights granted to Users groups, such as the local logon
> > right. The other is due to NTFS, registry, etc. grants to the
> > Users groups, without which a local login fails.
> >
> > You may also control access to the system by removing Users
> > from the user rights grants, replacing with only the principals
> > that should have those (local or network) access.
> >
> > When both are used one has layered contol definitions so that
> > both mechanisms are effective in limiting access.
> >
> > INTERACTIVE being a member of Users states that any account
> > that can log in will have the grants given to the Users group.
> > Authenticated Users being in Users states that any account that is
> > required to and successfully does authenticate is a Users member.
> > With these present, Domain Users being in Users is redundant.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Ariel" <Ariel@discussions.microsoft.com> wrote in message
> > news:E9F251D1-54D6-4D73-BE0F-A7D96EAAEDAD@microsoft.com...
> > > Hello,
> > >
> > > Could someone please tell me, what, if any, are the ramifications of
> > > removing the following users\groups from my local users group on my
Win2K
> > and
> > > Win2K3 servers:
> > >
> > > This would be for a mix of app and file servers.
> > >
> > > Active_Directory_Name\Domain Users
> > > NT Authority\Authenticated Users
> > > NT Authority\INTERACTIVE
> > >
> > > My intent is to deny log on locally privs. I know I can simply remove
the
> > > users group from the log on local security policy, but why not take it
a
> > step
> > > further and simply remove these domain groups from the local users
group?
> > >
> > > Any input is much appreciated.
> > >
> > >
> > >
> >
> >
> >


Local Users Group - Safefly removing users ?