Re: Terminal Services (Administration mode) Security

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/07/04 

Date: Thu, 07 Oct 2004 21:33:25 GMT

On the Windows 2000 Terminal Server add your group to the logon locally user
right . Do that in Local Security Policy for a domain member and you would
have to do that in Domain Controller Security Policy for domain controllers.
Look under security settings/local policies/user rights. If the server is a
domain controller you may want to put in a child OU to the domain
controllers OU and then configure that user right via a GPO for that OU.
That will prevent that group from being able to logon to all domain
controllers locally. If you do such be sure administrators is also included
in the logon locally user right. Keep in mind that any "deny" user right
will override any "allow" user right and that administrators are also
members of the users and everyone groups. If you are doing this to a non
domain controller, be sure that the local setting equals the effective
setting after refreshing the policy. If it does not, there is a domain/OU
policy overriding the local policy. --- Steve

<Navigato> wrote in message news:uooq4iJrEHA.1152@TK2MSFTNGP11.phx.gbl...
>I have an AD group 'RDPaccess' consisting of users from two domains: the
> local domain and it's parent domain. I have added this group with full
> access to the RDP connection in the Terminal Services Configuration
> application on the Win2K server.
>
> Using the remote desktop client:
> Attempting to log in as a non-administrative user from the parent domain I
> get the error 'You do not have permissions to log onto this session'. I
> then added the RDPaccess group to the local machine administrators group
> (just to see if the situation didn't improve) no dice.
>
> I can however log onto the server using an administrative login from the
> parent domain, and a non-administrative login (still a member of
> RDPaccess)
> in the local domain.
>
> Am I missing something? Any suggestions?
>
> Thanks!
>
>

Relevant Pages

  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... The domain controller for Group Policy operations is not available. ...
    (microsoft.public.win2000.active_directory)
  • RE: Problems importing template and others..
    ... My main problem is how do I apply the template to my entire domain group ... controllers OU, expect for the server. ... small business and want to make a group policy for everyone, ... if you import on a domain controller a security template will be applied ...
    (microsoft.public.windows.group_policy)
  • Re: GPO - Access denied after changing a GP setting
    ... This may render some server applications to fail. ... y Unable to open the GPO due to access denied. ... This tool was unable to re-create the EFS Certificates in the Default D omain Policy GPO Access is denied. ... You are about to restore Default Domain controller policy for the following domain Do you want to continue: ...
    (microsoft.public.windows.server.security)
  • Re: GPO - Access denied after changing a GP setting
    ... You are about to restore Default Domain policy and Default domain Controller po ... This may render some server applications to fail. ... Unable to open the GPO due to access denied. ... You are about to restore Default Domain controller policy for the following domain ...
    (microsoft.public.windows.server.security)
  • Re: Group Policy
    ... member server with *no* other roles on the network. ... regardless of their own inherited user policy settings). ... that shouldn't apply to administrators. ...
    (microsoft.public.windowsxp.security_admin)