Allow log on locally in Default Domain Controller Policy.

Discussion in 'MCSE' started by =?Utf-8?B?UmVic3U=?=, Jun 7, 2005.

  1. I was looking over our group policy settings while studying for 70-292 and
    noticed that the group Domain Users is included in the Allow log on locally
    setting in the Default Domain Controller Policy. Is this ok or dangerous?
    Is it necessary? DCs are 2003 standard.
     
    =?Utf-8?B?UmVic3U=?=, Jun 7, 2005
    #1
    1. Advertising

  2. That is not a default install. The default install has Account Operators,
    Administrators, Backup Operators, Print Operators and Server Operators in
    the list to Allow log on locally.
    Your config is not recommended and is a security problem. I would change it
    if I were you.

    Bill Griffith

    "Rebsu" <> wrote in message
    news:...
    >I was looking over our group policy settings while studying for 70-292 and
    > noticed that the group Domain Users is included in the Allow log on
    > locally
    > setting in the Default Domain Controller Policy. Is this ok or dangerous?
    > Is it necessary? DCs are 2003 standard.
     
    Bill Griffith, Jun 8, 2005
    #2
    1. Advertising

  3. =?Utf-8?B?UmVic3U=?=

    zenner Guest

    Is your DC also serving double duty as possibly a File or Printer server?

    Your System Administrator may have an explanation, if you are not the
    sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    about it and/or intended to include domain users in the "logon locally"
    permission list, and if so...why?

    Asked in the right way you may get an explanation that is reasonable, given
    the circumstances of your companies environment.

    Even the best guidelines have exceptions...that's why the are called
    Guideline, instead of rules.
    "Rebsu" <> wrote in message
    news:...
    >I was looking over our group policy settings while studying for 70-292 and
    > noticed that the group Domain Users is included in the Allow log on
    > locally
    > setting in the Default Domain Controller Policy. Is this ok or dangerous?
    > Is it necessary? DCs are 2003 standard.
     
    zenner, Jun 8, 2005
    #3
  4. =?Utf-8?B?UmVic3U=?=

    rainman Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    zenner wrote:
    > Is your DC also serving double duty as possibly a File or Printer server?
    >
    > Your System Administrator may have an explanation, if you are not the
    > sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    > about it and/or intended to include domain users in the "logon locally"
    > permission list, and if so...why?
    >
    > Asked in the right way you may get an explanation that is reasonable, given
    > the circumstances of your companies environment.
    >
    > Even the best guidelines have exceptions...that's why the are called
    > Guideline, instead of rules.
    > "Rebsu" <> wrote in message
    > news:...
    >
    >>I was looking over our group policy settings while studying for 70-292 and
    >>noticed that the group Domain Users is included in the Allow log on
    >>locally
    >>setting in the Default Domain Controller Policy. Is this ok or dangerous?
    >>Is it necessary? DCs are 2003 standard.

    >
    >
    >


    It has to be this way in the domain policy... the logon locally policy
    affects all domain computers. Nobody could log onto any domain computer
    if it were denied. However, that's for the domain policy, which
    propagates to domain computers... not the server's own policy which does
    not propagate. It should probably be removed from the server's
    permissions, if it's there.

    Rainman
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFCp6XE9ZOMhmWO5XkRAr/FAJ0Z63mvjdzdUx9RKvhY43kP0XuSHQCdFbb0
    wXHneiJZq7VYhItyYtH2kNg=
    =ayLn
    -----END PGP SIGNATURE-----
     
    rainman, Jun 9, 2005
    #4
  5. =?Utf-8?B?UmVic3U=?=

    zenner Guest

    There is no reason that a normal user needs to logon to a Domain Controller.
    Anything he needs should be accessed through an API. Files are access
    through shares, printers through spooler, applications through whatever API
    that the app provides. Only members of one of the Admin groups, by default,
    are allowed Logon rights to a DC. Member servers are an entirely different
    issue.

    Are we talking about the same thing?

    "zenner" <> wrote in message
    news:fnIpe.1581$...
    > Is your DC also serving double duty as possibly a File or Printer server?
    >
    > Your System Administrator may have an explanation, if you are not the
    > sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    > about it and/or intended to include domain users in the "logon locally"
    > permission list, and if so...why?
    >
    > Asked in the right way you may get an explanation that is reasonable,
    > given the circumstances of your companies environment.
    >
    > Even the best guidelines have exceptions...that's why the are called
    > Guideline, instead of rules.
    > "Rebsu" <> wrote in message
    > news:...
    >>I was looking over our group policy settings while studying for 70-292 and
    >> noticed that the group Domain Users is included in the Allow log on
    >> locally
    >> setting in the Default Domain Controller Policy. Is this ok or
    >> dangerous?
    >> Is it necessary? DCs are 2003 standard.

    >
    >
     
    zenner, Jun 9, 2005
    #5
  6. =?Utf-8?B?UmVic3U=?=

    rainman Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    There is one reason why a normal user needs logon locally permissions to
    the server: FTP via IIS. If the user needs FTP access to the server, you
    HAVE to give him local logon rights, just because that's the way IIS works.

    However, it is more likely the answer to this problem lies in my
    previous post in this thread...

    zenner wrote:
    > There is no reason that a normal user needs to logon to a Domain Controller.
    > Anything he needs should be accessed through an API. Files are access
    > through shares, printers through spooler, applications through whatever API
    > that the app provides. Only members of one of the Admin groups, by default,
    > are allowed Logon rights to a DC. Member servers are an entirely different
    > issue.
    >
    > Are we talking about the same thing?
    >
    > "zenner" <> wrote in message
    > news:fnIpe.1581$...
    >
    >>Is your DC also serving double duty as possibly a File or Printer server?
    >>
    >>Your System Administrator may have an explanation, if you are not the
    >>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    >>about it and/or intended to include domain users in the "logon locally"
    >>permission list, and if so...why?
    >>
    >>Asked in the right way you may get an explanation that is reasonable,
    >>given the circumstances of your companies environment.
    >>
    >>Even the best guidelines have exceptions...that's why the are called
    >>Guideline, instead of rules.
    >>"Rebsu" <> wrote in message
    >>news:...
    >>
    >>>I was looking over our group policy settings while studying for 70-292 and
    >>>noticed that the group Domain Users is included in the Allow log on
    >>>locally
    >>>setting in the Default Domain Controller Policy. Is this ok or
    >>>dangerous?
    >>>Is it necessary? DCs are 2003 standard.

    >>
    >>

    >
    >


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFCqbRk9ZOMhmWO5XkRAjWvAJ0Z2HcgTi2RbCxmw/38TFnqVEimJACfeYyN
    MeUR8n07AJTwj/OlFoBrnCY=
    =fQ/S
    -----END PGP SIGNATURE-----
     
    rainman, Jun 10, 2005
    #6
  7. =?Utf-8?B?UmVic3U=?=

    zenner Guest

    As noted by your explanation. If you are aware that you are circumventing
    accepted practices for a DC and are willing to accept the risk..that is your
    decision.

    My point is still valid, given accepted practice and for security...no user
    has a reason for local access to a DC. Even placing an FTP server on a DC,
    you can still set up your permission to avoid giving local logon access to
    normal users.

    If you feel it acceptable risk, It's your system, do as you feel is
    reasonable. I still suggest you research a better solution.
    "rainman" <> wrote in message
    news:p...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > There is one reason why a normal user needs logon locally permissions to
    > the server: FTP via IIS. If the user needs FTP access to the server, you
    > HAVE to give him local logon rights, just because that's the way IIS
    > works.
    >
    > However, it is more likely the answer to this problem lies in my
    > previous post in this thread...
    >
    > zenner wrote:
    >> There is no reason that a normal user needs to logon to a Domain
    >> Controller.
    >> Anything he needs should be accessed through an API. Files are access
    >> through shares, printers through spooler, applications through whatever
    >> API
    >> that the app provides. Only members of one of the Admin groups, by
    >> default,
    >> are allowed Logon rights to a DC. Member servers are an entirely
    >> different
    >> issue.
    >>
    >> Are we talking about the same thing?
    >>
    >> "zenner" <> wrote in message
    >> news:fnIpe.1581$...
    >>
    >>>Is your DC also serving double duty as possibly a File or Printer server?
    >>>
    >>>Your System Administrator may have an explanation, if you are not the
    >>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    >>>about it and/or intended to include domain users in the "logon locally"
    >>>permission list, and if so...why?
    >>>
    >>>Asked in the right way you may get an explanation that is reasonable,
    >>>given the circumstances of your companies environment.
    >>>
    >>>Even the best guidelines have exceptions...that's why the are called
    >>>Guideline, instead of rules.
    >>>"Rebsu" <> wrote in message
    >>>news:...
    >>>
    >>>>I was looking over our group policy settings while studying for 70-292
    >>>>and
    >>>>noticed that the group Domain Users is included in the Allow log on
    >>>>locally
    >>>>setting in the Default Domain Controller Policy. Is this ok or
    >>>>dangerous?
    >>>>Is it necessary? DCs are 2003 standard.
    >>>
    >>>

    >>
    >>

    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFCqbRk9ZOMhmWO5XkRAjWvAJ0Z2HcgTi2RbCxmw/38TFnqVEimJACfeYyN
    > MeUR8n07AJTwj/OlFoBrnCY=
    > =fQ/S
    > -----END PGP SIGNATURE-----
     
    zenner, Jun 10, 2005
    #7
  8. Maybe you should read the original question more carefully. He said Default
    Domain Controllers Policy.

    Bill Griffith

    "rainman" <> wrote in message
    news:...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > zenner wrote:
    >> Is your DC also serving double duty as possibly a File or Printer server?
    >>
    >> Your System Administrator may have an explanation, if you are not the
    >> sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    >> about it and/or intended to include domain users in the "logon locally"
    >> permission list, and if so...why?
    >>
    >> Asked in the right way you may get an explanation that is reasonable,
    >> given
    >> the circumstances of your companies environment.
    >>
    >> Even the best guidelines have exceptions...that's why the are called
    >> Guideline, instead of rules.
    >> "Rebsu" <> wrote in message
    >> news:...
    >>
    >>>I was looking over our group policy settings while studying for 70-292
    >>>and
    >>>noticed that the group Domain Users is included in the Allow log on
    >>>locally
    >>>setting in the Default Domain Controller Policy. Is this ok or
    >>>dangerous?
    >>>Is it necessary? DCs are 2003 standard.

    >>
    >>
    >>

    >
    > It has to be this way in the domain policy... the logon locally policy
    > affects all domain computers. Nobody could log onto any domain computer
    > if it were denied. However, that's for the domain policy, which
    > propagates to domain computers... not the server's own policy which does
    > not propagate. It should probably be removed from the server's
    > permissions, if it's there.
    >
    > Rainman
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFCp6XE9ZOMhmWO5XkRAr/FAJ0Z63mvjdzdUx9RKvhY43kP0XuSHQCdFbb0
    > wXHneiJZq7VYhItyYtH2kNg=
    > =ayLn
    > -----END PGP SIGNATURE-----
     
    Bill Griffith, Jun 11, 2005
    #8
  9. =?Utf-8?B?UmVic3U=?=

    rainman Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Personally I suggest not using FTP on a DC at all, because IIS, like IE,
    is notorious for security holes... not to mention that it just wouldn't
    be useful unless you're doubling up server duties for lack of cash...
    but unfortunately it is necessary for the feature if somebody does make
    that (poor) choice.

    Rainman

    zenner wrote:
    > As noted by your explanation. If you are aware that you are circumventing
    > accepted practices for a DC and are willing to accept the risk..that is your
    > decision.
    >
    > My point is still valid, given accepted practice and for security...no user
    > has a reason for local access to a DC. Even placing an FTP server on a DC,
    > you can still set up your permission to avoid giving local logon access to
    > normal users.
    >
    > If you feel it acceptable risk, It's your system, do as you feel is
    > reasonable. I still suggest you research a better solution.
    > "rainman" <> wrote in message
    > news:p...
    >
    > There is one reason why a normal user needs logon locally permissions to
    > the server: FTP via IIS. If the user needs FTP access to the server, you
    > HAVE to give him local logon rights, just because that's the way IIS
    > works.
    >
    > However, it is more likely the answer to this problem lies in my
    > previous post in this thread...
    >
    > zenner wrote:
    >
    >>There is no reason that a normal user needs to logon to a Domain
    >>Controller.
    >>Anything he needs should be accessed through an API. Files are access
    >>through shares, printers through spooler, applications through whatever
    >>API
    >>that the app provides. Only members of one of the Admin groups, by
    >>default,
    >>are allowed Logon rights to a DC. Member servers are an entirely
    >>different
    >>issue.

    >
    >>Are we talking about the same thing?

    >
    >>"zenner" <> wrote in message
    >>news:fnIpe.1581$...

    >
    >
    >>>Is your DC also serving double duty as possibly a File or Printer server?

    >
    >>>Your System Administrator may have an explanation, if you are not the
    >>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    >>>about it and/or intended to include domain users in the "logon locally"
    >>>permission list, and if so...why?

    >
    >>>Asked in the right way you may get an explanation that is reasonable,
    >>>given the circumstances of your companies environment.

    >
    >>>Even the best guidelines have exceptions...that's why the are called
    >>>Guideline, instead of rules.
    >>>"Rebsu" <> wrote in message
    >>>news:...

    >
    >
    >>>>I was looking over our group policy settings while studying for 70-292
    >>>>and
    >>>>noticed that the group Domain Users is included in the Allow log on
    >>>>locally
    >>>>setting in the Default Domain Controller Policy. Is this ok or
    >>>>dangerous?
    >>>>Is it necessary? DCs are 2003 standard.

    >
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFCqlmv9ZOMhmWO5XkRAj2uAJ9HwgVDvytDad9Kr3mb1+b3zI7EuwCffpxC
    ayOuYOk/DP8VgrHn5xj+v0c=
    =xon4
    -----END PGP SIGNATURE-----
     
    rainman, Jun 11, 2005
    #9
  10. =?Utf-8?B?UmVic3U=?=

    Guest Guest

    rainman touches fat people... film at eleven.

    "rainman" <> wrote in message
    news:...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > zenner wrote:
    >> Is your DC also serving double duty as possibly a File or Printer server?
    >>
    >> Your System Administrator may have an explanation, if you are not the
    >> sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    >> about it and/or intended to include domain users in the "logon locally"
    >> permission list, and if so...why?
    >>
    >> Asked in the right way you may get an explanation that is reasonable,
    >> given
    >> the circumstances of your companies environment.
    >>
    >> Even the best guidelines have exceptions...that's why the are called
    >> Guideline, instead of rules.
    >> "Rebsu" <> wrote in message
    >> news:...
    >>
    >>>I was looking over our group policy settings while studying for 70-292
    >>>and
    >>>noticed that the group Domain Users is included in the Allow log on
    >>>locally
    >>>setting in the Default Domain Controller Policy. Is this ok or
    >>>dangerous?
    >>>Is it necessary? DCs are 2003 standard.

    >>
    >>
    >>

    >
    > It has to be this way in the domain policy... the logon locally policy
    > affects all domain computers. Nobody could log onto any domain computer
    > if it were denied. However, that's for the domain policy, which
    > propagates to domain computers... not the server's own policy which does
    > not propagate. It should probably be removed from the server's
    > permissions, if it's there.
    >
    > Rainman
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFCp6XE9ZOMhmWO5XkRAr/FAJ0Z63mvjdzdUx9RKvhY43kP0XuSHQCdFbb0
    > wXHneiJZq7VYhItyYtH2kNg=
    > =ayLn
    > -----END PGP SIGNATURE-----
     
    Guest, Jun 11, 2005
    #10
  11. =?Utf-8?B?UmVic3U=?=

    Guest Guest

    rainman touches fat people... film at eleven...

    "rainman" <> wrote in message
    news:p...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > There is one reason why a normal user needs logon locally permissions to
    > the server: FTP via IIS. If the user needs FTP access to the server, you
    > HAVE to give him local logon rights, just because that's the way IIS
    > works.
    >
    > However, it is more likely the answer to this problem lies in my
    > previous post in this thread...
    >
    > zenner wrote:
    >> There is no reason that a normal user needs to logon to a Domain
    >> Controller.
    >> Anything he needs should be accessed through an API. Files are access
    >> through shares, printers through spooler, applications through whatever
    >> API
    >> that the app provides. Only members of one of the Admin groups, by
    >> default,
    >> are allowed Logon rights to a DC. Member servers are an entirely
    >> different
    >> issue.
    >>
    >> Are we talking about the same thing?
    >>
    >> "zenner" <> wrote in message
    >> news:fnIpe.1581$...
    >>
    >>>Is your DC also serving double duty as possibly a File or Printer server?
    >>>
    >>>Your System Administrator may have an explanation, if you are not the
    >>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    >>>about it and/or intended to include domain users in the "logon locally"
    >>>permission list, and if so...why?
    >>>
    >>>Asked in the right way you may get an explanation that is reasonable,
    >>>given the circumstances of your companies environment.
    >>>
    >>>Even the best guidelines have exceptions...that's why the are called
    >>>Guideline, instead of rules.
    >>>"Rebsu" <> wrote in message
    >>>news:...
    >>>
    >>>>I was looking over our group policy settings while studying for 70-292
    >>>>and
    >>>>noticed that the group Domain Users is included in the Allow log on
    >>>>locally
    >>>>setting in the Default Domain Controller Policy. Is this ok or
    >>>>dangerous?
    >>>>Is it necessary? DCs are 2003 standard.
    >>>
    >>>

    >>
    >>

    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFCqbRk9ZOMhmWO5XkRAjWvAJ0Z2HcgTi2RbCxmw/38TFnqVEimJACfeYyN
    > MeUR8n07AJTwj/OlFoBrnCY=
    > =fQ/S
    > -----END PGP SIGNATURE-----
     
    Guest, Jun 11, 2005
    #11
  12. =?Utf-8?B?UmVic3U=?=

    Guest Guest

    rainman is notorious for his security holes...

    "rainman" <> wrote in message
    news:...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Personally I suggest not using FTP on a DC at all, because IIS, like IE,
    > is notorious for security holes... not to mention that it just wouldn't
    > be useful unless you're doubling up server duties for lack of cash...
    > but unfortunately it is necessary for the feature if somebody does make
    > that (poor) choice.
    >
    > Rainman
    >
    > zenner wrote:
    >> As noted by your explanation. If you are aware that you are circumventing
    >> accepted practices for a DC and are willing to accept the risk..that is
    >> your
    >> decision.
    >>
    >> My point is still valid, given accepted practice and for security...no
    >> user
    >> has a reason for local access to a DC. Even placing an FTP server on a
    >> DC,
    >> you can still set up your permission to avoid giving local logon access
    >> to
    >> normal users.
    >>
    >> If you feel it acceptable risk, It's your system, do as you feel is
    >> reasonable. I still suggest you research a better solution.
    >> "rainman" <> wrote in message
    >> news:p...
    >>
    >> There is one reason why a normal user needs logon locally permissions to
    >> the server: FTP via IIS. If the user needs FTP access to the server, you
    >> HAVE to give him local logon rights, just because that's the way IIS
    >> works.
    >>
    >> However, it is more likely the answer to this problem lies in my
    >> previous post in this thread...
    >>
    >> zenner wrote:
    >>
    >>>There is no reason that a normal user needs to logon to a Domain
    >>>Controller.
    >>>Anything he needs should be accessed through an API. Files are access
    >>>through shares, printers through spooler, applications through whatever
    >>>API
    >>>that the app provides. Only members of one of the Admin groups, by
    >>>default,
    >>>are allowed Logon rights to a DC. Member servers are an entirely
    >>>different
    >>>issue.

    >>
    >>>Are we talking about the same thing?

    >>
    >>>"zenner" <> wrote in message
    >>>news:fnIpe.1581$...

    >>
    >>
    >>>>Is your DC also serving double duty as possibly a File or Printer
    >>>>server?

    >>
    >>>>Your System Administrator may have an explanation, if you are not the
    >>>>sysAdmin...then ask him or her (respectfully, if possible.) if they knew
    >>>>about it and/or intended to include domain users in the "logon locally"
    >>>>permission list, and if so...why?

    >>
    >>>>Asked in the right way you may get an explanation that is reasonable,
    >>>>given the circumstances of your companies environment.

    >>
    >>>>Even the best guidelines have exceptions...that's why the are called
    >>>>Guideline, instead of rules.
    >>>>"Rebsu" <> wrote in message
    >>>>news:...

    >>
    >>
    >>>>>I was looking over our group policy settings while studying for 70-292
    >>>>>and
    >>>>>noticed that the group Domain Users is included in the Allow log on
    >>>>>locally
    >>>>>setting in the Default Domain Controller Policy. Is this ok or
    >>>>>dangerous?
    >>>>>Is it necessary? DCs are 2003 standard.

    >>
    >>
    >>

    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.1 (MingW32)
    > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
    >
    > iD8DBQFCqlmv9ZOMhmWO5XkRAj2uAJ9HwgVDvytDad9Kr3mb1+b3zI7EuwCffpxC
    > ayOuYOk/DP8VgrHn5xj+v0c=
    > =xon4
    > -----END PGP SIGNATURE-----
     
    Guest, Jun 11, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tyler Cobb
    Replies:
    6
    Views:
    18,647
    Tyler Cobb
    Oct 19, 2005
  2. Tyler Cobb
    Replies:
    1
    Views:
    741
    dawnad
    Oct 9, 2005
  3. Limited Wisdom
    Replies:
    7
    Views:
    798
    Jonathan Roberts
    Sep 13, 2006
  4. lawrend
    Replies:
    4
    Views:
    604
    D. Brown
    Apr 24, 2005
  5. Abaaseen
    Replies:
    9
    Views:
    1,016
    Kline Sphere
    Jan 19, 2009
Loading...

Share This Page