Microsoft KB Archive/925654
Article ID: 925654
Article Last Modified on 12/3/2007
- Microsoft Windows Small Business Server 2003 Standard Edition
- Microsoft Windows Small Business Server 2003 Premium Edition
Consider the following scenario. You use the Power Users Template in the Add User Wizard on a Microsoft Windows Small Business Server 2003 (Windows SBS)-based computer to create a user account. Then, you try to use the user account to connect to an FTP site that has anonymous access turned off and is hosted on a Windows SBS-based computer. In this scenario, the user account cannot log on to the FTP site.
By default, this behavior occurs because Power Users are members of the SBS Remote Operators group on the Windows SBS-based computer. Members of the Remote Operators group are not granted Log On Locally permissions. Permissions that are not granted to this group override any other permissions that are granted to the user account. Therefore, even if you grant explicit permissions to Log On Locally for the user account, such permissions will not be granted
Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.
To work around this behavior, you can use one of the following methods, as appropriate for your situation.
Remove the user account from the SBS Remote Operators group on the Windows SBS-based computer.
Remove the SBS Remote Operators group from the Deny log on locally policy in the Default Domain Controllers Group Policy on the Windows SBS-based computer. To do this, follow these steps:
- Log on to the Windows SBS-based computer by using an account that has administrative permissions.
- Click Start, point to Administrative Tools, click Domain Controller Security Policy, and then click OK.
- Expand Local Policies, click User Rights Assignment, and then double-click Deny log on locally.
- In the Deny log on locally Properties dialog box, click SBS Remote Operators, click Remove, and then click OK.
This behavior is by design.
Keywords: kbtshoot kbprb KB925654