Sign in with
Sign up | Sign in
Your question

Interactive users group - Could it be a BUG ?

Last response: in Windows 2000/NT
Share
Anonymous
August 26, 2004 7:05:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It seems to be a BUG with the behavior of the Interactive Users group.
According to MS documentation, the membership definition of such group is:

S-1-5-4

Interactive

A group that includes all users who have logged on interactively.
Membership is controlled by the operating system.


I take "have logged on interactively" as an affirmation that the user had
the correct permissions and rights to log on, and so he did. After log on,
he's automatically a member of the interactive users group, membership
assigned by the OS.

Problem is, we completely removed every user and groups from the "Log on
locally" user right configuration, on a XP Workstation, except user "A". The
XP WS is a member of a W2K domain, so is user "A" and user "B".

Then we tried to log onto the W2K domain, from the XP WS, using user "B",
which had no "log on locally" rights on the XP WS.

SURPRISE: user "B" is able to log onto the domain from the XP WS, despite he
has no log on locally rigths on the XP WS, nor is he a member of any of the
local groups of the XP WS.

Both users, "A" and "B" are users of the W2K Domain. They have no special
group membership or rigths on the domain, nor on the XP WS. They are just
normal accounts.

SOLUTION: after several tests, with several XP WS, we decided (at that
moment just a guess !) to remove the "NT authority\Interactive Users" group
from the local users group on the XP WS. Then, the XP worked as expected,
user "B" was no longer able to log onto the Domain from the XP WS. User "A",
as a member of the local group Users on the XP WS was able to log onto the
domain, as he should be, since the local group Users has the "log on
locally" right.

We repeated this test on several XP WS, and all revealed the same behavior.

So, the question is: IS THIS A BUG the Interactive Users group under XP ????
or, it is just the way Interactive Users is designed to work, in which case
the definition of MS seems wrong to me ?

Thanks a lot.
Anonymous
August 27, 2004 5:26:24 AM

Archived from groups: microsoft.public.win2000.security (More info?)

That seems odd and using the same configuration only the user listed in the logon
locally user right and administrators are able to logon to my XP Pro computer in my
W2K domain. In XP Pro the user right to logon locally must also include the
administrators group - at least XPSP1 does. I would suggest that you add interactive
group back to the users group and try again using more than two users with at least a
couple more domain users and a couple local computer users all not being in the
domain admins or local administrators group of the XP Pro computer and also use
Security Configuration and Analysis tool to analyze the computer against perhaps the
setup security.inf template to see what it reports as the computer configuration for
the user right for logon locally to make sure it is what you believe it is. ---
Steve


"Roy Valenciano" <royvalenciano@hotmail.com> wrote in message
news:%23g6vDC7iEHA.1184@TK2MSFTNGP12.phx.gbl...
> It seems to be a BUG with the behavior of the Interactive Users group.
> According to MS documentation, the membership definition of such group is:
>
> S-1-5-4
>
> Interactive
>
> A group that includes all users who have logged on interactively.
> Membership is controlled by the operating system.
>
>
> I take "have logged on interactively" as an affirmation that the user had
> the correct permissions and rights to log on, and so he did. After log on,
> he's automatically a member of the interactive users group, membership
> assigned by the OS.
>
> Problem is, we completely removed every user and groups from the "Log on
> locally" user right configuration, on a XP Workstation, except user "A". The
> XP WS is a member of a W2K domain, so is user "A" and user "B".
>
> Then we tried to log onto the W2K domain, from the XP WS, using user "B",
> which had no "log on locally" rights on the XP WS.
>
> SURPRISE: user "B" is able to log onto the domain from the XP WS, despite he
> has no log on locally rigths on the XP WS, nor is he a member of any of the
> local groups of the XP WS.
>
> Both users, "A" and "B" are users of the W2K Domain. They have no special
> group membership or rigths on the domain, nor on the XP WS. They are just
> normal accounts.
>
> SOLUTION: after several tests, with several XP WS, we decided (at that
> moment just a guess !) to remove the "NT authority\Interactive Users" group
> from the local users group on the XP WS. Then, the XP worked as expected,
> user "B" was no longer able to log onto the Domain from the XP WS. User "A",
> as a member of the local group Users on the XP WS was able to log onto the
> domain, as he should be, since the local group Users has the "log on
> locally" right.
>
> We repeated this test on several XP WS, and all revealed the same behavior.
>
> So, the question is: IS THIS A BUG the Interactive Users group under XP ????
> or, it is just the way Interactive Users is designed to work, in which case
> the definition of MS seems wrong to me ?
>
> Thanks a lot.
>
>
>
!