Add Local Guest to User Rights Assignment

Fabian 261 Reputation points
2021-10-27T11:45:02.1+00:00

Hi, how I can add the local guest account to the user rights assignment "Deny access to this computer from network" in a domain GPO. I know it's default, but I want enforce it. If I add "Guest" in the domain GPO, the Domain\Guest is add on the target Computer. "Builtin\Guest", doesn't work.

Best regards, fabian

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,799 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,887 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 35,511 Reputation points
    2021-10-28T23:50:17.17+00:00

    How about using the Guests group? Psgetsid shows that it is builtin.

    SID for BUILTIN\guests:
    S-1-5-32-546
    

    The guest account is a member of the guests group.

    C:\>net localgroup guests
    Alias name     guests
    Comment        Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
    
    Members
    
    -------------------------------------------------------------------------------
    Guest
    The command completed successfully.
    

2 additional answers

Sort by: Most helpful
  1. Gary Reynolds 9,591 Reputation points
    2021-10-27T22:17:42.533+00:00

    Hi @Fabian

    The default or implied behaviour of the Add User or Group dialog is to use the AD object selector via the Browser button to select the user or group you want to add. By using this method you need to resolve the name to a SID of the user or group to be added to the policy setting. As the guest SID for each workstation is unique, you would need to add the SID of the guest account from each workstation in to the policy. However, it is possible to add just the name of the user and the name2SID resolution is completed on the workstation.

    144219-image.png
    Just enter the name, do not use the browse and click OK

    The entry will be added to the policy as:

    [Privilege Rights]  
    SeDenyInteractiveLogonRight = guest  
    

    The name to SID resolution will be completed on the workstation and should resolve to the local guest account and not the domain account.

    Gary.


  2. Limitless Technology 39,811 Reputation points
    2021-10-28T08:22:00.53+00:00

    Hi there,

    The default value is only Guests. You should add the second group to prevent pass-the-hash attacks, so if a local elevated user is compromised

    Each user right has a constant name and a Group Policy name associated with it. The constant names are used when referring to the user right in log events. You can configure the user rights assignment settings in the following location within the Group Policy Management Console (GPMC) under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, or on the local device by using the Local Group Policy Editor (gpedit.msc).


    --If the reply is helpful, please Upvote and Accept it as an answer--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.