I am setting up 2012 R2 servers. I am rather perplexed that having the "Interactive" group as a member of the Local "users" group allows domain users to logon. A completely empty local "users" group will not permit all domain users to logon. If you add the "interactive" group to the users group, then all domain users can log on.
My reasoning is simple. Before a user logs on, he is not a member of the interactive group, therefore he should not be able to logon locally. Correct? Membership in the interactive group should be granted after the login has been approved.
But my test seems to indicate that the user is made a member of the interactive group before the user account's security has been evaluated. Therefore, any account is permitted to logon locally as long as the "interactive" group is a member of the local "users" group. Does this seem to be odd???
From what I have read it is a bad idea to remove the "interactive" group from the users group. Is this true? How about just making sure that every user that logs on locally is in the "users" group.
Or how about simply removing the local "users" group from the "Allow local login" rights. Is this problematic?
Thanks for any input. This just strikes me rather odd.