none
Interactive group

    Question

  • Hi,

    I do not have strong understanding about NT Authority\Interactive group. What actually it means ? As what they listed, it is for login on locally.

    Then what is the difference between Interactive and Remote Desktop Users?


    Thanks.

    Wednesday, April 14, 2010 2:35 AM

Answers

  • Let me rephrase on your sentence, please correct me if I am wrong.

    What you are saying is if Interactive group does not exists, then the local users will not have capability to log on to the server locally. Does this apply to local administrator?

    Let me share the situation I encountering now.

    Security Admin - local admin

    Server Admin - Power Users

    Apps Admin - normal user with appropriate permission.

     Let me know what you think about it.

    Sorry but I really don't understand what you're asking or trying to accomplish here. To answer your specific questions:

    1. No, removing Interactive from the local Users account will not prevent anyone from being able to log on locally. A user does not get membership in the Interactive group until they log on locally (or through RDP) successfully so the Interactive group cannot, by definition, be used to restrict the ability to log on locally. Having said that, there are a large number of places where the Interactive group is used to secure resources. As I said before, removing the Interactive group from the Users group will break all kinds of things.

    2. Local administrators are the same when it comes to logging in locally in that the Interactive group can't be used to restrict this user right, regardless of who the user is.

    As for the rest of your post, as I said, I don't really understand what you're asking.

    The bottom line is that removing Interactive from the local Users group does nothing at all to enhance security and is a really bad idea.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    • Marked as answer by Patrick Y Wednesday, April 14, 2010 6:18 AM
    Wednesday, April 14, 2010 4:20 AM

All replies

  • Hi Patrick,

    The members of the Interactive group gain access to resources on the computer at which they are physically located or logged on. This group includes all users who log into a computer locally. Users who are connected across a network are not members of this group (with the exception of the Remote Desktop Users group). Remote Desktop Users, as the term implies, connects to computers via RDP; they are also granted interactive login rights during the initiated RDP sessions even though the users are logging in remotely.

    Regards,

    Salvador Manaois III
    MCSE MCSA MCTS MCITP:EA/SA C|EH CIWA
    ----------------------------------------------------------------------------
    Bytes & Badz: http://badzmanaois.blogspot.com
    My Passion: http://flickr.com/photos/badzmanaois
    My Scripting Blog: http://sgwindowsgroup.org/blogs/badz 

    Wednesday, April 14, 2010 2:55 AM
  • Hi Salvador,

    How are you ? Do you remember me ? Patrick from CS team :P ...

    Well, what would be the actual impact if I remove NT Authority\Interactive from Users group ? And with the removal of Interactive, does it mean ONLY local administrator are allowed to access them locally ?

    Wednesday, April 14, 2010 3:16 AM
  • Well, what would be the actual impact if I remove NT Authority\Interactive from Users group ? And with the removal of Interactive, does it mean ONLY local administrator are allowed to access them locally ?


    Removing Interactive from the local Users group would cause all kinds of problems and would break a whole bunch of default security settings.

    What is it you're trying to actually accomplish here? There is likely a better, more standard way of trying to do what you're trying to do. If you let us know that, we can probably point you in the right direction.

     

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 14, 2010 3:27 AM
  • Hi, my superior did asked me to explain why require them to be a part of Users. In term of security perspective, she is afraid that someone might violate it.
    Wednesday, April 14, 2010 3:44 AM
  • Hi, my superior did asked me to explain why require them to be a part of Users. In term of security perspective, she is afraid that someone might violate it.


    Violate what and how exactly? Sorry, but I don't understand what that statement is supposed to mean. I can't think of any possible exploit due to the fact that Interactive is a member of the local users group.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 14, 2010 3:58 AM
  • She has a kind of mentality such as adding extra users may lead more exploitation.
    Wednesday, April 14, 2010 4:01 AM
  • She has a kind of mentality such as adding extra users may lead more exploitation.


    Ok, but this doesn't add extra users. Interactive is a computed group. Unless a user is logged on locally or through RDP, they are not a member of Interactive. Domain Users is also a member of the local Users group. The existence of the Interactive group actually allows for greater, not lesser security. If the Interactive group didn't exist and you only had the local Users group to work with, you'd have no effective method to restrict access to resources that you only wanted users who are logged in locally to be able to access.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 14, 2010 4:05 AM
  • Let me rephrase on your sentence, please correct me if I am wrong.

    What you are saying is if Interactive group does not exists, then the local users will not have capability to log on to the server locally. Does this apply to local administrator?

    Let me share the situation I encountering now.

    Security Admin - local admin

    Server Admin - Power Users

    Apps Admin - normal user with appropriate permission.

     

    Let me know what you think about it.

    Wednesday, April 14, 2010 4:10 AM
  • Let me rephrase on your sentence, please correct me if I am wrong.

    What you are saying is if Interactive group does not exists, then the local users will not have capability to log on to the server locally. Does this apply to local administrator?

    Let me share the situation I encountering now.

    Security Admin - local admin

    Server Admin - Power Users

    Apps Admin - normal user with appropriate permission.

     Let me know what you think about it.

    Sorry but I really don't understand what you're asking or trying to accomplish here. To answer your specific questions:

    1. No, removing Interactive from the local Users account will not prevent anyone from being able to log on locally. A user does not get membership in the Interactive group until they log on locally (or through RDP) successfully so the Interactive group cannot, by definition, be used to restrict the ability to log on locally. Having said that, there are a large number of places where the Interactive group is used to secure resources. As I said before, removing the Interactive group from the Users group will break all kinds of things.

    2. Local administrators are the same when it comes to logging in locally in that the Interactive group can't be used to restrict this user right, regardless of who the user is.

    As for the rest of your post, as I said, I don't really understand what you're asking.

    The bottom line is that removing Interactive from the local Users group does nothing at all to enhance security and is a really bad idea.

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    • Marked as answer by Patrick Y Wednesday, April 14, 2010 6:18 AM
    Wednesday, April 14, 2010 4:20 AM
  • I guessed I understand now. Thanks for your explanation. That really helps a lot.
    Wednesday, April 14, 2010 5:58 AM
  • Hey Patrick, I do remember you and the good old days of supporting MKZ. =)

    Coming back to your query, one way where the right to login locally can be defined/controlled is via Group Policy. The membership of the Interactive Users group is controlled by the operating system so tweaking its group membership is, imho, totally unnecessary. What I would suggest is to disable the groups (do not delete them) and test all relevant access to your server.

    Regards,

    Salvador Manaois III
    MCSE MCSA MCTS MCITP:EA/SA C|EH CIWA
    ----------------------------------------------------------------------------
    Bytes & Badz: http://badzmanaois.blogspot.com
    My Passion: http://flickr.com/photos/badzmanaois
    My Scripting Blog: http://sgwindowsgroup.org/blogs/badz

    Wednesday, April 14, 2010 6:15 AM
  • What I would suggest is to disable the groups (do not delete them) and test all relevant access to your server.

     

    How exactly does one disable a group?

     


    Paul Adare CTO IdentIT Inc. ILM MVP
    Wednesday, April 14, 2010 6:18 AM
  • My mistake, the phrase should have been:

    Do not delete the groups. If security is the utmost concern, try using one of the predefined security templates (either secure or hisec)and test all relevant access to your server.

    Thanks, Paul, for highlighting it.

    Regards,
    Salvador

    Wednesday, April 14, 2010 6:50 AM