Re: How to restrict user right on the server?
From: Miha Pihler (mihap-news_at_atlantis.si)
Date: Wed, 4 Aug 2004 14:29:34 +0200
my advice would be, don't allow users on DC over TS. Setup another server
that is not DC (AD) and have it as Terminal Server for all users...
If you want still want to allow users access, this is what you would have to
do on Windows 2003 AD (you didn't specify what AD you have).
Open "AD Users and Computers" MMC and right click on Domain Controllers OU.
Click on Properties and go to Group Policy tab. Right click Default domain
controller policy and click Edit and drill down under Computer
Configuration -> Windows Settings -> Security Settings -> Local Policies ->
User Rights Assignment. Here look for setting "Allow logon through Terminal
Services" and double click on this policy. Remove Domain Administrators
group and add in group with users that need access (e.g. Domain Users group
or any group that you created (e.g. Terminal Services Access for Users).
Again, this is very bad thing to do and again I would advise against it.
Even if you prevent user from creating user accounts, they can still e.g. go
and open their webmail, download infected attachment and run it on your
I hope this helps,
"Roy T" <RoyT@discussions.microsoft.com> wrote in message
> Hi All,
> We have a Domain controller which is also a Terminal Service server, We
want to give right to the users on the network to access through the Teminal
Service, but stop them from creating users and other server role. Because
at the moment, as long as they can access to the terminal service they have
all the access and right to the server, which is not what we wanted. What
is the minmium setting to allow terminal service user to access the terminal
service without any right on the Active Directory, especially creating
> Any help will be appreciated!