Domain Guest account logon!!!!

Markie · August 2008

Hey Guys.

Ive been doing some testing within a Microsoft Virtual PC 2004 envirinment. I have one domain controller (Windows Server 2003), one member server (Windows Server 2003) and one client workstation (winXp) running.

Ive been doing some testing with the user rights of "log on locally" and "deny log on locally" on the client workstation.

When you run gpedit.msc on the client workstation, you get the following security settings:

User right (Policy) -Security Setting

-log on locally -Administrators, Backup Operators, Guest, Power Users, Users

-deny log on locally -Guest, Support a/c

There are no group policies (site, domain, ou etc.) in place as comfirmed when running rsop.msc on the client:

User right (Policy) - Computer Setting

-log on locally - "not defined"

-deny log on locally - "not defined"

Now, as part of my testing, I tried logging on to the workstation using the local guest a/c and as expected, I could not logon. This is clearly because the deny right is overriding the allow right.

However, I then tried logging in using the domain guest account and the logon was successful.

Any ideas why?

The domain guests group (which contains the domain guest a/c) does not appear to be a member of any of the above-mentioned groups so I am not sure why logon is successful.

My thanks in advance.

Mark

dynamik · August 2008

Well, the local guest account on the member server isn't the same account as the domain guest account i.e. <computer name>\guest vs. <domain name>\guest. It sounds like you're only denying the local guest account.

undomiel · August 2008

I believe Domain Guest is the group you'd want to block to deny the domain guest account.

Markie · August 2008

Well yes, I realise that I could explicitly deny the domain guest account the ability to log on.

However, it just seems strange that by default, the local guest account is locked out but not the domain guest account is not.

If anything, one might think it would be more secure to lock out the domain guest account rather than the local guest account.

I suppose I am just trying to make sense of default settings (with respect to groups's rights etc).

Mark

royal · August 2008

Guest account rocks for Lan Parties! Have a bunch of pictures, videos taken, etc..? Put your computers in the same workgroup, share out your stuff, enable guest account. Now everyone has free access to your stuff without needing to assign ACLs for the shares!

dynamik · August 2008

Markie wrote:

If anything, one might think it would be more secure to lock out the domain guest account rather than the local guest account.

The guest accounts are disabled by default. It doesn't get much more secure than that

Markie · August 2008

dynamik wrote:

The guest accounts are disabled by default. It doesn't get much more secure than that

I dont know, wouldn't denying the domain guest a/c the logon locally right be an extra layer of security.

I take your point, but I guess its just one of those Microsoft things that dont quite make sense. It just seems strange that the local security policy would by default deny the local guest account the logon locally right instead of say the Guests group (which would then include the domain guest account as well).

Mark

dynamik · August 2008

I guess. They probably just assume that if you're going to enable it, you're going to adjust those settings however you see fit. I don't think too many people actually end up enabling the guest account anyway, so it doesn't seem like an issue that would get a lot of attention.

Domain Guest account logon!!!!

Comments