advice needed

[vlb]

hi guys

first of i just want to know if it is allowed for me to post a question here that i was asked in a mock exam, i just want your advice on the question because even though i got it right the answer doesnt make any sense to me.

if an admin could let me know if i can post this question (and the funky answer) it would be appreciated.

second thing i wanted to know is about interactive login.

suppose i wanted to give a certain group the ability to log on to a server, 1) why would i use interactive login gpo instead of just creating a local group and adding their domain group (or user accounts) to it.

2) does "interactive logon" mean that they are logged on locally? ie if my admins have domain accounts and my servers are part of my domain then they will be able to log on to the server anyway? so whats the need for a interactive logon gpo.

thanks for any answers you might have.

Martyn

[ManicMonkey]

Mock exam? is it a certified examination that your taking or some sort of training exam to prepare you for the real thing.
Brain dumps (ACTUAL test questions) are not allowed here.

Anyone loggin onto a domain controller has to have the logon locally right (interactive login is basically logon locally).
Yes you could create a local group on each and every server and then add each and every user to it... its just that, well thats a lot of work for not a lot of gain. GPO's are designed to ease administration tasks, making life much more secure and faster to work with.

If you create a GPO that allows interactive logon and add users to it, then your saying that these users can logon to any server in your entire company that has this GPO attached to it. Is that not much faster than the alternative?
At least i think it would be
(plus if you discover a security breach or problem its much faster to disable 1 GPO than remove X number of users from Y number of servers.

To answer your final question, yes admins are useually given the interactive logon right by default. However are you saying that every single admin in your domain has the same access rights? from the lowly 1 week old newbie to the highly respected 20 year veterain?
In an ideal world you should have different levels of access for each administrator. Someone in charge of user accounts (creating, adjusting, reseting passwords etc..) would not really need any access to a server and as such would not need interactive logon rights, whereas someone in charge of the server maintanence would need to be able to logon to the server to ensure its tip-ety-top ok.

[vlb]

Quote:

Originally Posted by ManicMonkey

Mock exam? is it a certified examination that your taking or some sort of training exam to prepare you for the real thing.
Brain dumps (ACTUAL test questions) are not allowed here.

Anyone loggin onto a domain controller has to have the logon locally right (interactive login is basically logon locally).
Yes you could create a local group on each and every server and then add each and every user to it... its just that, well thats a lot of work for not a lot of gain. GPO's are designed to ease administration tasks, making life much more secure and faster to work with.

If you create a GPO that allows interactive logon and add users to it, then your saying that these users can logon to any server in your entire company that has this GPO attached to it. Is that not much faster than the alternative?
At least i think it would be
(plus if you discover a security breach or problem its much faster to disable 1 GPO than remove X number of users from Y number of servers.

To answer your final question, yes admins are useually given the interactive logon right by default. However are you saying that every single admin in your domain has the same access rights? from the lowly 1 week old newbie to the highly respected 20 year veterain?
In an ideal world you should have different levels of access for each administrator. Someone in charge of user accounts (creating, adjusting, reseting passwords etc..) would not really need any access to a server and as such would not need interactive logon rights, whereas someone in charge of the server maintanence would need to be able to logon to the server to ensure its tip-ety-top ok.

Hi Manic Monkey thanks for your swift reply.

the question i would like to post is from a training exam, it isnt a TK question (at least it isnt taken from a TK paper) so as far as i know its not a brain dump question.

I guess i was a little confused on what exactly "interactive login" did, so just so i can get this right in my head. if i had a ou named servers, and in that ou were srv1 and srv2, if i applied a gpo that allowed "interactive logon" to that ou and then in the "interactive logon" section defined a group of admins. any of those admins could walk up to srv1 and srv2 and log onto it.... i know the answer is yes but what confuses me is that

a) when they sit down in front of those servers are they choosing the domain to log onto or are they choosing srv1 (this computer)

b)if they are choosing the domain to log onto is it the case that the "interactive logon gpo" is merely giving them the same rights as if they were to log on to srv1 (this computer)


My sincere apologies for the long winded question, i just feel that if i slotted this peice into place it would answer so much more for me.

Thanks

Martyn

[BosonMichael]

Be careful of mock exams freely available on the Internet... quite often, they're braindumps even though they're not listed as such.

[ManicMonkey]

Just noticed a mistake in my original reply (oops)


Interactive logon is the process used to logon to a domain or machine. Every login prcess uses this function.
To log into a SERVER the account must have the log on locally right. Local accounts stored in the machines SAM database have this right by default.
Any domain accounts that are required to log onto a server must have this right allocated to them. Administrative accounts useually have this by default.

Microsoft Technet- Interactive Logon
http://technet2.microsoft.com/window....mspx?mfr=true

Microsoft Technet - Log On Locally

Quote:

Allow log on locally


This logon right determines which users can interactively log on to this computer. Logons initiated by pressing CTRL+ALT+DEL on the attached keyboard requires the user to have this logon right. Additionally this logon right may be required by some service or administrative applications that can log on users. If you define this policy for a user or group, you must also give the Administrators group this right.

Default:
•

On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
•

On domain controllers: Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators.

So back to the origional question..

Quote:

why would i use interactive login gpo instead of just creating a local group and adding their domain group (or user accounts) to it.

GPO's are designed to make an administrators job easier and smoother. By creating a gpo and adding groups or users to it you can allocate this to either individual servers or OU's containg servers.
Why do this you ask? well think of your worst posibility that could happen, security breach, administrator causing problems on the servers (or something just as bad), if the only access they have is via the network then by disabling this 1 gpo you have totally shut there access to all the servers this gpo is associated with.

Quote:

when they sit down in front of those servers are they choosing the domain to log onto or are they choosing srv1 (this computer)

In all honesty there should be almost no call for anyone to sit at a server and log on, therefore you should be looking more towards a domain logon from across the network from an account with logon locally rights.

Quote:

if they are choosing the domain to log onto is it the case that the "interactive logon gpo" is merely giving them the same rights as if they were to log on to srv1 (this computer)

Again dont let people log on directly to servers, its almost impossible to restrict access this way (especially if they know the local administrator account for that server).
If you use gpo's attached to groups then it will be the gpo that defines what access rights they have.

[vlb]

thanks so very much

Martyn

[Sparky]

Also worth noting that the role of the server can determine who can log on by default.

For example if the server is a domain controller there are no local groups and therefore no local remote desktop users group. Furthermore the DC is locked down by the default domain controllers GPO.

[vlb]

Quote:

Originally Posted by Sparky

Also worth noting that the role of the server can determine who can log on by default.

For example if the server is a domain controller there are no local groups and therefore no local remote desktop users group. Furthermore the DC is locked down by the default domain controllers GPO.

is a member server just a server who has been added to the domain in the same way a client has.

[Sparky]

Quote:

Originally Posted by vlb

is a member server just a server who has been added to the domain in the same way a client has.

Ahh, put the users in the remote desktop users group and then they can logon through TS.

[ManicMonkey]

Quote:

Originally Posted by vlb

is a member server just a server who has been added to the domain in the same way a client has.

Yes until a server is allocated a role - dhcp, dns, exchange etc.. it is simply classed as a member server (as long as it is on the domain ><)

[ManicMonkey]

Quote:

Originally Posted by Sparky

Also worth noting that the role of the server can determine who can log on by default.

For example if the server is a domain controller there are no local groups and therefore no local remote desktop users group. Furthermore the DC is locked down by the default domain controllers GPO.

Good point i forgot to mention that one

[vlb]

thank you all for your answers. gotta love cert communites

Thanks