iam bored
2010-08-26 14:45:50 UTC
If you disable or remove any of those accounts you are not only going to mess with the way windows works, but you are in fact creating more (and larger) security holes.
Creator group and creator owner are permissions accounts. They are used to control who can access the files you created. (you are listed as the creator owner on all of the files that you create and are therefore given full permissions automatically) get rid of this and you mess up your entire file system
Authenticated users is another security group that can be assigned to a particular file or folder to control who can access it ( say you want to give everyone that has an account on your computer access to a certain share while blocking everyone else)
Batch, dialup, interactive, local service, network, network service, service, and system are all used by Windows behind the scenes. for example your system services may se local server as it's username in order to run automatic updates, or enable your firewal.
"anonymous logon" is used by file and printer sharing.
"terminal server user" and Remote interactive logon are groups that specify people that can log on to your computer over the network.
Bottom line. If you disable any of these or remove their permissions Windows will never work right again. Windows operates by putting users into these groups. By default there is nobody in them as most of these services are disabled. Unless you specifically turned on a server such as file and printer sharing most of these groups or accounts will never be used. They are only there for security purposes.
You best option is to leave these alone as they are common referred to system accounts for a reason. Anything that has NT AUTHORITY before it is usually used by windows to give you the Windows experience. Often there are others that don't have NT AUTHORITY preceding them. This is why you should never move, disable, delete, or do anything else with user accounts or groups that don't show up under "Users" in the "Controll Panel" unless you really know what your getting yourself into.
If you want to secure your computer, I would suggest password protecting the "Guest account" that is how most people will access your computer over the network. You can search the internet for instructions on how to do that but keep in mind that you will be asked to enter a password everytime you try to access your files or printers from another computer.
Creator group and creator owner are permissions accounts. They are used to control who can access the files you created. (you are listed as the creator owner on all of the files that you create and are therefore given full permissions automatically) get rid of this and you mess up your entire file system
Authenticated users is another security group that can be assigned to a particular file or folder to control who can access it ( say you want to give everyone that has an account on your computer access to a certain share while blocking everyone else)
Batch, dialup, interactive, local service, network, network service, service, and system are all used by Windows behind the scenes. for example your system services may se local server as it's username in order to run automatic updates, or enable your firewal.
"anonymous logon" is used by file and printer sharing.
"terminal server user" and Remote interactive logon are groups that specify people that can log on to your computer over the network.
Bottom line. If you disable any of these or remove their permissions Windows will never work right again. Windows operates by putting users into these groups. By default there is nobody in them as most of these services are disabled. Unless you specifically turned on a server such as file and printer sharing most of these groups or accounts will never be used. They are only there for security purposes.
You best option is to leave these alone as they are common referred to system accounts for a reason. Anything that has NT AUTHORITY before it is usually used by windows to give you the Windows experience. Often there are others that don't have NT AUTHORITY preceding them. This is why you should never move, disable, delete, or do anything else with user accounts or groups that don't show up under "Users" in the "Controll Panel" unless you really know what your getting yourself into.
If you want to secure your computer, I would suggest password protecting the "Guest account" that is how most people will access your computer over the network. You can search the internet for instructions on how to do that but keep in mind that you will be asked to enter a password everytime you try to access your files or printers from another computer.
I have need to block our Service accounts (which are all located in there own
OU) the ability to logon to any machine in the domain. How can this been done
thru group policy.?
I don???t want to put the account in a policy individually, as I want any new
account in the OU to automatically have the denied interactive logon to all
machines.
Note the Domain is 2008
Thanks in advance
OU) the ability to logon to any machine in the domain. How can this been done
thru group policy.?
I don???t want to put the account in a policy individually, as I want any new
account in the OU to automatically have the denied interactive logon to all
machines.
Note the Domain is 2008
Thanks in advance
Howdie!
You'd have to do that in a script and check whether the user logging in
is a "member" of a certain OU. I wouldn't like that however.
How about putting these accounts into a group? As service user creation
shouldn't be a really dynamic thing, you could put them into a security
group and create a Group Policy on the domain machines that denies them
local logon. It's a security setting policy "Deny log on locally" that
prevents them from logging on at the machines.
cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
You'd have to do that in a script and check whether the user logging in
is a "member" of a certain OU. I wouldn't like that however.
How about putting these accounts into a group? As service user creation
shouldn't be a really dynamic thing, you could put them into a security
group and create a Group Policy on the domain machines that denies them
local logon. It's a security setting policy "Deny log on locally" that
prevents them from logging on at the machines.
cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Hi ive been looking into some groups and user accounts recently as i have been experiencing some very odd behaviour exhibited by my machine (which is not on a domain). I have found allot of NT accounts which are on my machine which seem to be specifically orientated for remote access, and i fear that my local windows NT machine has been remotely accessed using these accounts.
\CREATOR GROUP
\CREATOR OWNER
NT AUTHORITY\ANYONYMOUS LOGON (S-1-5-7) - This i have disabled in regedit, value was previously inserted and set to 0
NT AUTHORITY\Authenticated Users (S-1-5-11)
NT AUTHORITY\BATCH (s-1-5-3)
NT AUTHORITY\DIALUP (s-1-5-1)
NT AUTHORITY\INTERACTIVE (s-1-5-3)
NT AUTHORITY\LOCAL SERVICE (s-1-5-19)
NT AUTHORITY\NETWORK (s-1-5-2)
NT AUTHORITY\NETWORK SERVICE (s-1-5-20)
NT AUTHORITY\REMOTE INTERACTIVE LOGON (s-1-5-14)
NT AUTHORITY\SERVICE (S-1-5-6)
NT AUTHORITY\SYSTEM (S-1-5-18)
NT AUTHORITY\TERMINAL SERVER USER (s-1-5-13)
MY question is how would i go about making sure these accounts are inactive, and where possible, removed?
As i cannot seem to access any of the ACL's for these users on my computer management mmc.
Thanks for any help
Submitted via EggHeadCafe - Software Developer Portal of Choice
Custom Favorites Web Site with MongoDb and NoRM
http://www.eggheadcafe.com/tutorials/aspnet/7fbc7a01-5d30-4cd3-b373-51d4a0e1afa8/custom-favorites-web-site-with-mongodb-and-norm.aspx
\CREATOR GROUP
\CREATOR OWNER
NT AUTHORITY\ANYONYMOUS LOGON (S-1-5-7) - This i have disabled in regedit, value was previously inserted and set to 0
NT AUTHORITY\Authenticated Users (S-1-5-11)
NT AUTHORITY\BATCH (s-1-5-3)
NT AUTHORITY\DIALUP (s-1-5-1)
NT AUTHORITY\INTERACTIVE (s-1-5-3)
NT AUTHORITY\LOCAL SERVICE (s-1-5-19)
NT AUTHORITY\NETWORK (s-1-5-2)
NT AUTHORITY\NETWORK SERVICE (s-1-5-20)
NT AUTHORITY\REMOTE INTERACTIVE LOGON (s-1-5-14)
NT AUTHORITY\SERVICE (S-1-5-6)
NT AUTHORITY\SYSTEM (S-1-5-18)
NT AUTHORITY\TERMINAL SERVER USER (s-1-5-13)
MY question is how would i go about making sure these accounts are inactive, and where possible, removed?
As i cannot seem to access any of the ACL's for these users on my computer management mmc.
Thanks for any help
Submitted via EggHeadCafe - Software Developer Portal of Choice
Custom Favorites Web Site with MongoDb and NoRM
http://www.eggheadcafe.com/tutorials/aspnet/7fbc7a01-5d30-4cd3-b373-51d4a0e1afa8/custom-favorites-web-site-with-mongodb-and-norm.aspx