User Access Control

Hello! We recently had to figure out how to use Group Policy to
automate allowing groups of users to have Terminal Server access to
different sets of hosts, either as a local user or local
administrator. Not being a Windows Administrator of much experience,
it took me a while to figure out all the knobs that needed tweaking.

The basic results are:

Computers go in an OU named after their role (say, "Webservers")
Users go in two groups, "Webserver Users" and "Webserver Admins"
Group Policy sets the local Remote Desktop Users and Administrator
groups, along with the "Log on through Terminal Services" and "Log on
through the Console" rights.

Once it's running, you pretty much just need to move the computer into
the right part of the tree after joining the domain, and all the right
access controls will cascade.

The process is documented here:

I would love any feedback, or alternate ways to achieve the same net effect.



HJK Solutions - We Launch Startups -
Adam Jacob, Senior Partner
T: (206) 508-4759 E: adam@xxxxxxxxxxxxxxxx