none
Contoso users cannot logon to the DC, 70-640 book says they can RRS feed

  • Question

  • I'm using the Server 2008 R2 VHD for the MCITP 70-640 Training, so I hope there isn't that much of a difference. My problem is that I've been following the book, but when I've tried to logon as Barbara Mayer and do a runas /User:Mike Danseglio I'm being told that these users do not have permission to logon to the computer (Domain Controller).

    My best guess is that because both users are Domain Users, they don't have logon rights. Did I miss a step somewhere for each of these accounts or is this a difference in R2 vs 2008 RTM?

    Thanks

    ** EDIT: If I have this in the wrong forum, can a MOD please move it to the correct one so I can get answers and move forward? Thanks

    Tuesday, August 17, 2010 6:40 PM

Answers

  • Hello,

    In order to allow members of the 'Domain Users' group to log onto a Windows Server 2008 or 2008 R2 Domain Controller you must first do the following.

     

    1. Open the 'Group Policy Management Console' on the Domain Controller. You can do this by running the command 'gpmc.msc' from the run menu.

    2. Open the 'Default Domain Controllers Policy'

    3. Expand/browse to the following - Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/User Rights Assignment.

    4. Modify the policy 'Allow log on locally' adding the 'Domain Users' group to this.

    5. Close the Group Policy Management Console

    6. Run the command 'gpupdate /force'

     

    Members of the Domain Users group will now be able to logon to Domain Controllers in this domain.

     

    By default these group members cannot logon as it is a security issue.

    This is not something I would ever enable on a server, but it is good to know how to do this for education purposes.

    The easy option is to added these users to the 'Domain Admins' group, but you will not learn about group policy by using such work arounds.

     

    **NOTE: Members of the Domain Users group are, by default, given access to read some data from Domain Controllers. By default these users will only be able to logon to workstations such as Windows XP, Vista or 7 authenticating to the domain controller and reading policies etc they require as domain members.

    If you need users to logon to any server you are best to create a group for this and allow logon either through the domain policies or the local server policies.


    Jarad, MCITP, Brisbane Australia
    • Edited by GrumpyBum Wednesday, August 18, 2010 3:24 AM Added '**NOTE' to the bottom.
    • Marked as answer by r.watts Wednesday, August 18, 2010 5:48 AM
    Wednesday, August 18, 2010 3:17 AM

All replies

  • Hello,

    In order to allow members of the 'Domain Users' group to log onto a Windows Server 2008 or 2008 R2 Domain Controller you must first do the following.

     

    1. Open the 'Group Policy Management Console' on the Domain Controller. You can do this by running the command 'gpmc.msc' from the run menu.

    2. Open the 'Default Domain Controllers Policy'

    3. Expand/browse to the following - Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/User Rights Assignment.

    4. Modify the policy 'Allow log on locally' adding the 'Domain Users' group to this.

    5. Close the Group Policy Management Console

    6. Run the command 'gpupdate /force'

     

    Members of the Domain Users group will now be able to logon to Domain Controllers in this domain.

     

    By default these group members cannot logon as it is a security issue.

    This is not something I would ever enable on a server, but it is good to know how to do this for education purposes.

    The easy option is to added these users to the 'Domain Admins' group, but you will not learn about group policy by using such work arounds.

     

    **NOTE: Members of the Domain Users group are, by default, given access to read some data from Domain Controllers. By default these users will only be able to logon to workstations such as Windows XP, Vista or 7 authenticating to the domain controller and reading policies etc they require as domain members.

    If you need users to logon to any server you are best to create a group for this and allow logon either through the domain policies or the local server policies.


    Jarad, MCITP, Brisbane Australia
    • Edited by GrumpyBum Wednesday, August 18, 2010 3:24 AM Added '**NOTE' to the bottom.
    • Marked as answer by r.watts Wednesday, August 18, 2010 5:48 AM
    Wednesday, August 18, 2010 3:17 AM
  • Thanks for the reply. I guess it is just odd there was no mention of this in the book and leaving people who are new to it in the dark. Something as simple as a sidebar tip to say what you said which was do not do this in production, but for the current purpose its ok.

    If the 70-640 exam book authors are reading, this is something to add to the eratta and/or future versions.

    ***EDIT***: I just realized that the book has, a few times, mentioned that the Domain Users should be Members Of the Print Operators group. I didn't understand this until I hit the chapter about Groups.

    Wednesday, August 18, 2010 5:48 AM