+ Reply to Thread
Results 1 to 8 of 8
  1. Member
    Join Date
    Feb 2008
    Location
    Western Australia
    Posts
    54

    Certifications
    70-270, 70-271, 70-272, 70-290, 70-291
    #1

    Default Domain Guest account logon!!!!

    Hey Guys.

    Ive been doing some testing within a Microsoft Virtual PC 2004 envirinment. I have one domain controller (Windows Server 2003), one member server (Windows Server 2003) and one client workstation (winXp) running.

    Ive been doing some testing with the user rights of "log on locally" and "deny log on locally" on the client workstation.

    When you run gpedit.msc on the client workstation, you get the following security settings:

    User right (Policy) -Security Setting

    -log on locally -Administrators, Backup Operators, Guest, Power Users, Users

    -deny log on locally -Guest, Support a/c

    There are no group policies (site, domain, ou etc.) in place as comfirmed when running rsop.msc on the client:

    User right (Policy) - Computer Setting

    -log on locally - "not defined"

    -deny log on locally - "not defined"


    Now, as part of my testing, I tried logging on to the workstation using the local guest a/c and as expected, I could not logon. This is clearly because the deny right is overriding the allow right.

    However, I then tried logging in using the domain guest account and the logon was successful.

    Any ideas why?

    The domain guests group (which contains the domain guest a/c) does not appear to be a member of any of the above-mentioned groups so I am not sure why logon is successful.

    My thanks in advance.

    Mark
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    Well, the local guest account on the member server isn't the same account as the domain guest account i.e. <computer name>\guest vs. <domain name>\guest. It sounds like you're only denying the local guest account.
    Reply With Quote Quote  

  4. Virtual Member undomiel's Avatar
    Join Date
    Sep 2007
    Location
    Bellevue, WA
    Posts
    2,813

    Certifications
    MCSA:2008, VCP4/5, CCA (XS), MCITP: EA/VA, MCSE, MCSA, Linux+, Security+, Server+, A+
    #3
    I believe Domain Guest is the group you'd want to block to deny the domain guest account.
    Reply With Quote Quote  

  5. Member
    Join Date
    Feb 2008
    Location
    Western Australia
    Posts
    54

    Certifications
    70-270, 70-271, 70-272, 70-290, 70-291
    #4
    Well yes, I realise that I could explicitly deny the domain guest account the ability to log on.

    However, it just seems strange that by default, the local guest account is locked out but not the domain guest account is not.

    If anything, one might think it would be more secure to lock out the domain guest account rather than the local guest account.

    I suppose I am just trying to make sense of default settings (with respect to groups's rights etc).

    Mark
    Reply With Quote Quote  

  6. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #5
    Guest account rocks for Lan Parties! Have a bunch of pictures, videos taken, etc..? Put your computers in the same workgroup, share out your stuff, enable guest account. Now everyone has free access to your stuff without needing to assign ACLs for the shares!
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #6
    Quote Originally Posted by Markie
    If anything, one might think it would be more secure to lock out the domain guest account rather than the local guest account.
    The guest accounts are disabled by default. It doesn't get much more secure than that
    Reply With Quote Quote  

  8. Member
    Join Date
    Feb 2008
    Location
    Western Australia
    Posts
    54

    Certifications
    70-270, 70-271, 70-272, 70-290, 70-291
    #7
    Quote Originally Posted by dynamik

    The guest accounts are disabled by default. It doesn't get much more secure than that
    I dont know, wouldn't denying the domain guest a/c the logon locally right be an extra layer of security.

    I take your point, but I guess its just one of those Microsoft things that dont quite make sense. It just seems strange that the local security policy would by default deny the local guest account the logon locally right instead of say the Guests group (which would then include the domain guest account as well).

    Mark
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #8
    I guess. They probably just assume that if you're going to enable it, you're going to adjust those settings however you see fit. I don't think too many people actually end up enabling the guest account anyway, so it doesn't seem like an issue that would get a lot of attention.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks