R
Roy Valenciano
It seems to be a BUG with the behavior of the Interactive Users group.
According to MS documentation, the membership definition of such group is:
S-1-5-4
Interactive
A group that includes all users who have logged on interactively.
Membership is controlled by the operating system.
I take "have logged on interactively" as an affirmation that the user had
the correct permissions and rights to log on, and so he did. After log on,
he's automatically a member of the interactive users group, membership
assigned by the OS.
Problem is, we completely removed every user and groups from the "Log on
locally" user right configuration, on a XP Workstation, except user "A". The
XP WS is a member of a W2K domain, so is user "A" and user "B".
Then we tried to log onto the W2K domain, from the XP WS, using user "B",
which had no "log on locally" rights on the XP WS.
SURPRISE: user "B" is able to log onto the domain from the XP WS, despite he
has no log on locally rigths on the XP WS, nor is he a member of any of the
local groups of the XP WS.
Both users, "A" and "B" are users of the W2K Domain. They have no special
group membership or rigths on the domain, nor on the XP WS. They are just
normal accounts.
SOLUTION: after several tests, with several XP WS, we decided (at that
moment just a guess !) to remove the "NT authority\Interactive Users" group
from the local users group on the XP WS. Then, the XP worked as expected,
user "B" was no longer able to log onto the Domain from the XP WS. User "A",
as a member of the local group Users on the XP WS was able to log onto the
domain, as he should be, since the local group Users has the "log on
locally" right.
We repeated this test on several XP WS, and all revealed the same behavior.
So, the question is: IS THIS A BUG the Interactive Users group under XP ????
or, it is just the way Interactive Users is designed to work, in which case
the definition of MS seems wrong to me ?
Thanks a lot.
According to MS documentation, the membership definition of such group is:
S-1-5-4
Interactive
A group that includes all users who have logged on interactively.
Membership is controlled by the operating system.
I take "have logged on interactively" as an affirmation that the user had
the correct permissions and rights to log on, and so he did. After log on,
he's automatically a member of the interactive users group, membership
assigned by the OS.
Problem is, we completely removed every user and groups from the "Log on
locally" user right configuration, on a XP Workstation, except user "A". The
XP WS is a member of a W2K domain, so is user "A" and user "B".
Then we tried to log onto the W2K domain, from the XP WS, using user "B",
which had no "log on locally" rights on the XP WS.
SURPRISE: user "B" is able to log onto the domain from the XP WS, despite he
has no log on locally rigths on the XP WS, nor is he a member of any of the
local groups of the XP WS.
Both users, "A" and "B" are users of the W2K Domain. They have no special
group membership or rigths on the domain, nor on the XP WS. They are just
normal accounts.
SOLUTION: after several tests, with several XP WS, we decided (at that
moment just a guess !) to remove the "NT authority\Interactive Users" group
from the local users group on the XP WS. Then, the XP worked as expected,
user "B" was no longer able to log onto the Domain from the XP WS. User "A",
as a member of the local group Users on the XP WS was able to log onto the
domain, as he should be, since the local group Users has the "log on
locally" right.
We repeated this test on several XP WS, and all revealed the same behavior.
So, the question is: IS THIS A BUG the Interactive Users group under XP ????
or, it is just the way Interactive Users is designed to work, in which case
the definition of MS seems wrong to me ?
Thanks a lot.