1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

advice needed

Discussion in 'Active Directory Exams' started by vlb, Aug 27, 2007.

  1. vlb

    vlb Byte Poster

    106
    0
    19
    hi guys

    first of i just want to know if it is allowed for me to post a question here that i was asked in a mock exam, i just want your advice on the question because even though i got it right the answer doesnt make any sense to me.

    if an admin could let me know if i can post this question (and the funky answer) it would be appreciated.

    second thing i wanted to know is about interactive login.

    suppose i wanted to give a certain group the ability to log on to a server, 1) why would i use interactive login gpo instead of just creating a local group and adding their domain group (or user accounts) to it.

    2) does "interactive logon" mean that they are logged on locally? ie if my admins have domain accounts and my servers are part of my domain then they will be able to log on to the server anyway? so whats the need for a interactive logon gpo.

    thanks for any answers you might have.

    Martyn
     
    Certifications: MCDST, MCP 70-294
    WIP: MCSE
  2. ManicMonkey

    ManicMonkey Kilobyte Poster

    325
    4
    32
    Mock exam? is it a certified examination that your taking or some sort of training exam to prepare you for the real thing.
    Brain dumps (ACTUAL test questions) are not allowed here.

    Anyone loggin onto a domain controller has to have the logon locally right (interactive login is basically logon locally).
    Yes you could create a local group on each and every server and then add each and every user to it... its just that, well thats a lot of work for not a lot of gain. GPO's are designed to ease administration tasks, making life much more secure and faster to work with.

    If you create a GPO that allows interactive logon and add users to it, then your saying that these users can logon to any server in your entire company that has this GPO attached to it. Is that not much faster than the alternative?
    At least i think it would be :)
    (plus if you discover a security breach or problem its much faster to disable 1 GPO than remove X number of users from Y number of servers.

    To answer your final question, yes admins are useually given the interactive logon right by default. However are you saying that every single admin in your domain has the same access rights? from the lowly 1 week old newbie to the highly respected 20 year veterain?
    In an ideal world you should have different levels of access for each administrator. Someone in charge of user accounts (creating, adjusting, reseting passwords etc..) would not really need any access to a server and as such would not need interactive logon rights, whereas someone in charge of the server maintanence would need to be able to logon to the server to ensure its tip-ety-top ok.
     
    Certifications: MCSE
    WIP: Exchange, Share point - MOM as well
  3. vlb

    vlb Byte Poster

    106
    0
    19

    Hi Manic Monkey thanks for your swift reply.

    the question i would like to post is from a training exam, it isnt a TK question (at least it isnt taken from a TK paper) so as far as i know its not a brain dump question.

    I guess i was a little confused on what exactly "interactive login" did, so just so i can get this right in my head. if i had a ou named servers, and in that ou were srv1 and srv2, if i applied a gpo that allowed "interactive logon" to that ou and then in the "interactive logon" section defined a group of admins. any of those admins could walk up to srv1 and srv2 and log onto it.... i know the answer is yes but what confuses me is that

    a) when they sit down in front of those servers are they choosing the domain to log onto or are they choosing srv1 (this computer)

    b)if they are choosing the domain to log onto is it the case that the "interactive logon gpo" is merely giving them the same rights as if they were to log on to srv1 (this computer)


    My sincere apologies for the long winded question, i just feel that if i slotted this peice into place it would answer so much more for me.

    Thanks

    Martyn
     
    Certifications: MCDST, MCP 70-294
    WIP: MCSE
  4. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Be careful of mock exams freely available on the Internet... quite often, they're braindumps even though they're not listed as such.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. ManicMonkey

    ManicMonkey Kilobyte Poster

    325
    4
    32
    Just noticed a mistake in my original reply (oops)


    Interactive logon is the process used to logon to a domain or machine. Every login prcess uses this function.
    To log into a SERVER the account must have the log on locally right. Local accounts stored in the machines SAM database have this right by default.
    Any domain accounts that are required to log onto a server must have this right allocated to them. Administrative accounts useually have this by default.

    Microsoft Technet- Interactive Logon
    http://technet2.microsoft.com/windowsserver/en/library/7030dd02-b459-4997-bf60-5c588c89758e1033.mspx?mfr=true

    Microsoft Technet - Log On Locally


    So back to the origional question..
    GPO's are designed to make an administrators job easier and smoother. By creating a gpo and adding groups or users to it you can allocate this to either individual servers or OU's containg servers.
    Why do this you ask? well think of your worst posibility that could happen, security breach, administrator causing problems on the servers (or something just as bad), if the only access they have is via the network then by disabling this 1 gpo you have totally shut there access to all the servers this gpo is associated with.

    In all honesty there should be almost no call for anyone to sit at a server and log on, therefore you should be looking more towards a domain logon from across the network from an account with logon locally rights.

    Again dont let people log on directly to servers, its almost impossible to restrict access this way (especially if they know the local administrator account for that server).
    If you use gpo's attached to groups then it will be the gpo that defines what access rights they have.
     
    Certifications: MCSE
    WIP: Exchange, Share point - MOM as well
  6. vlb

    vlb Byte Poster

    106
    0
    19
    thanks so very much

    Martyn
     
    Certifications: MCDST, MCP 70-294
    WIP: MCSE
  7. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Also worth noting that the role of the server can determine who can log on by default.

    For example if the server is a domain controller there are no local groups and therefore no local remote desktop users group. Furthermore the DC is locked down by the default domain controllers GPO. 8)
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  8. vlb

    vlb Byte Poster

    106
    0
    19
    is a member server just a server who has been added to the domain in the same way a client has.
     
    Certifications: MCDST, MCP 70-294
    WIP: MCSE
  9. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Ahh, put the users in the remote desktop users group and then they can logon through TS.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  10. ManicMonkey

    ManicMonkey Kilobyte Poster

    325
    4
    32

    Yes until a server is allocated a role - dhcp, dns, exchange etc.. it is simply classed as a member server (as long as it is on the domain ><)
     
    Certifications: MCSE
    WIP: Exchange, Share point - MOM as well
  11. ManicMonkey

    ManicMonkey Kilobyte Poster

    325
    4
    32

    Good point i forgot to mention that one :)
     
    Certifications: MCSE
    WIP: Exchange, Share point - MOM as well
  12. vlb

    vlb Byte Poster

    106
    0
    19
    thank you all for your answers. gotta love cert communites

    Thanks
     
    Certifications: MCDST, MCP 70-294
    WIP: MCSE

Share This Page

Loading...