JSI Tip 5449. Your Guest account may be a member of your Windows 2000 Domain Users group, with access to Domain Users resources?

Jerold Schulman

June 17, 2002

1 Min Read
ITPro Today logo in a gray background | ITPro Today

In a Windows 2000 domain, the local Guest account may be a member of the Domain Users global group. If it is, the Guest account has access to the same files and shares that a member of the Domain Users group has access to.

NOTE: I found that the Guest account was a member of the Domain Users group in my domain, and in the vast majority of the domains that I checked.

To resolve this problem:

1. Open the Active Directory Users and Computers snap-in from your Administrative Tools menu.

2. Select the Guest account.

3. Right-click the Guest account and press Properties.

4. Select the Member of tab.

5. If the Primary group is NOT the Domain Guests global group, select the Domain Guests group in the Member of list and press the Set Primary Group button.

6. Select the Domain Users group in the Member of list and press the Remove button.

7. Press Apply and OK.

8. Close the Active Directory Users and Computers snap-in.

NOTE: If you open a CMD prompt and try to delete the Guest account from the Domain Users group, by typing
net group "Domain Users" Guest /delete /domain,
the command will fail if the Primary group of the Guest account is set to Domain Users.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like