RE: Weird SSH issue on 2000 domain controller

Sorry ben if I had seen it sooner I would have invited stuffehead to take this "Off group" but you are correct about the problem.
 
The trick is indeed in the Domain Controller Security policy. You need to disable the "Deny Login Locally" policy in the Domain Controller policy and enable "Deny Login Locally" in the local computer policy for each DC in your active directory that to maintain the security level. Recommend just copying the settings from the Domain Controller Policy for the Local Policy (Works the best instead of hacking a policy together.)
 
This unlocks the DC that you want to allow access to while keeping a tight policy on your other DC's
 
I can certainly walk you through this process in fact I think I have a word doc with the instructions somewhere. I am going camping tomorrow and won't be back until sunday so if you don't hear from me I am roasting beer.
 
Michael Mclaughlin

        -----Original Message-----
        From: Ben Voigt [mailto:bvoigt@kas.com]
        Sent: Thu 6/5/2003 5:13 PM
        To: 'Secure Shell Discussions'
        Cc:
        Subject: RE: Weird SSH issue on 2000 domain controller
        
        

        This issue has been dealt with in the list archives... I think you need to
        change the policy for "Log in locally" in Local Security Policies under
        Administrative Tools (or Domain Policies if you want to roll the change out
        to all servers, or Domain Controller Policies for limited roll out to just
        DCs).
        
        Hope this helps.
        
        -----Original Message-----
        From: ssh-l-bounces@erdelynet.com [mailto:ssh-l-bounces@erdelynet.com]On
        Behalf Of Chris K Ellsworth
        Sent: Thursday, June 05, 2003 3:35 PM
        To: Secure Shell Discussions
        Subject: Re: Weird SSH issue on 2000 domain controller
        
        
        on a domain server no one is allowed to log in unless they are domain
        admins, i know theres way to change it (did it in my mcse classes), but dont
        remember how.
        
        ----- Original Message -----
        From: "Stuffeshead" <stuffeshead@hotmail.com>
        To: <ssh-l@erdelynet.com>
        Sent: Thursday, June 05, 2003 9:45 AM
        Subject: Weird SSH issue on 2000 domain controller
        
        
        Hello, all...
        
        
        I have a weird issue that I can't seem to fix. It has to be something
        simple that someone else has encountered, so I was hoping someone could give
        me a "Duh!" heads up on where to look.
        
        I have a 2000 server with OpenSSH running on it. Everything WAS working
        perfectly. Then, we needed to install active directory on the server to
        start replicating data on it. As soon as we did, SSH broke. Now, the only
        way to allow someone to ssh into the server is to make them part of the
        domain admins group. Otherwise, we get the message "refused connection."
        
        Any ideas?
        
        DC
        

--
List Information: http://tech.erdelynet.com/mailman/listinfo/ssh-l/
List Archives:    http://erdelynet.com/archive/ssh-l/
To Unsubscribe: Go to http://tech.erdelynet.com/mailman/listinfo/ssh-l/ and enter your email address at the bottom to "Edit Options". If you don't know your password, have it emailed to you. Then unsubscribe.