JSI Tip 5449. Your Guest account may be a member of your Windows 2000 Domain Users group, with access to Domain Users resources?

In a Windows 2000 domain, the local Guest account may be a member of the Domain Users global group. If it is, the Guest account has access to the same files and shares that a member of the Domain Users group has access to.

NOTE: I found that the Guest account was a member of the Domain Users group in my domain, and in the vast majority of the domains that I checked.

To resolve this problem:

1. Open the Active Directory Users and Computers snap-in from your Administrative Tools menu.

2. Select the Guest account.

3. Right-click the Guest account and press Properties.

4. Select the Member of tab.

5. If the Primary group is NOT the Domain Guests global group, select the Domain Guests group in the Member of list and press the Set Primary Group button.

6. Select the Domain Users group in the Member of list and press the Remove button.

7. Press Apply and OK.

8. Close the Active Directory Users and Computers snap-in.

NOTE: If you open a CMD prompt and try to delete the Guest account from the Domain Users group, by typing
net group "Domain Users" Guest /delete /domain,
the command will fail if the Primary group of the Guest account is set to Domain Users.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish