user group: "can not log in interactively" is Win2k message

[leegold]

Simple question I think:

On a LAN I have several win2kpro client PCs.
I have admin. rights locally on these PCs.
Note: We're in similar to a library setting w/many patrons using these PCs.
I notice the average user, ie. the user name that we
logon with and each customer subsequently uses is in the: "power user" group.

So, wanting to be more secure, I switch the "average user" to just the "user" group.
But find that now with "average user" can not logon after the bootup.
Win2K message says "This user can not log in interactively".
Ques:
If I go into: Control panel>Local Security Policy>Security settings>user rights assignment>
logon locally...and check "users" ...or better yet (?) add the specific user only...

Well, is this a fairly good practice to get abit more secure?
I'm assuming that I won't be over-ridden by domain controller policy.

Thanks,
Lee

 

[Steven L Umbach]

It is always good practice to give users minimum permissions/rights needed to do
their job.Yes it is worth trying. Domain policy may or may not override the setting
depending or not if that user right assignment is configured at the domain level. By
default it is not. You will see "effective" settings for the Local Security Policy
that will tell you if the new local setting is being implemented or not. It may take
a reboot to find out for sure. Be sure to test out new group configuration. You may
find that they are in the power users group for a reason. Some software will not be
able to be used by a regular user unfortunately, at least without modifications to
ntfs/registry permissions. --- Steve