User Access Control

Hello! We recently had to figure out how to use Group Policy to
automate allowing groups of users to have Terminal Server access to
different sets of hosts, either as a local user or local
administrator. Not being a Windows Administrator of much experience,
it took me a while to figure out all the knobs that needed tweaking.

The basic results are:

Computers go in an OU named after their role (say, "Webservers")
Users go in two groups, "Webserver Users" and "Webserver Admins"
Group Policy sets the local Remote Desktop Users and Administrator
groups, along with the "Log on through Terminal Services" and "Log on
through the Console" rights.

Once it's running, you pretty much just need to move the computer into
the right part of the tree after joining the domain, and all the right
access controls will cascade.

The process is documented here:

I would love any feedback, or alternate ways to achieve the same net effect.



HJK Solutions - We Launch Startups -
Adam Jacob, Senior Partner
T: (206) 508-4759 E: adam@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: This operation has been canceled due to restrictions in effect on this computer. When Logging i
    ... Check out -- The Windows Group Policy Information Hub: ... >have administrator privileges. ... >> happening on a few computers, other computers get no error messages ... >> fine but I can't figure out why it is trying to startup. ...
  • Re: Domain Users to have Local Admin rights
    ... Group Policy because a new policy doesn't wana work. ... to local Administrator group on all the computers. ... We have various admin accounts other then administrator ...
  • Re: access denied error when opening gpedit.msc
    ... If you configured Group Policy to prevent users from accessing MMC, ... possible that you did not filter the administrators group assuming you are talking ... If these computers are in an OU other than the domain ... I am logged on with an Administrator account. ...
  • Re: debugger user autochange
    ... One possibility could be that Group Policy Restricted Groups are being ... applied to the computers in question. ... I think I failed to convey the problem clearly - the user accounts ... domain/userxyz assigned to the administrator group. ...
  • Re: Task Manager problems
    ... Your domain administrator doesn't have to touch your machine if they set ... Task Manager" is the item in group policy where it can be controlled. ... their computers; view and monitor all programs running on their computers, ...