Re: How to restrict user right on the server?

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/04/04

  • Next message: Karen: "LSASRV warnings" 
    Date: Wed, 4 Aug 2004 14:29:34 +0200

    Hi Roy,

    my advice would be, don't allow users on DC over TS. Setup another server
    that is not DC (AD) and have it as Terminal Server for all users...

    If you want still want to allow users access, this is what you would have to
    do on Windows 2003 AD (you didn't specify what AD you have).

    Open "AD Users and Computers" MMC and right click on Domain Controllers OU.
    Click on Properties and go to Group Policy tab. Right click Default domain
    controller policy and click Edit and drill down under Computer
    Configuration -> Windows Settings -> Security Settings -> Local Policies ->
    User Rights Assignment. Here look for setting "Allow logon through Terminal
    Services" and double click on this policy. Remove Domain Administrators
    group and add in group with users that need access (e.g. Domain Users group
    or any group that you created (e.g. Terminal Services Access for Users).

    Again, this is very bad thing to do and again I would advise against it.
    Even if you prevent user from creating user accounts, they can still e.g. go
    and open their webmail, download infected attachment and run it on your
    DC...

    I hope this helps,

    Mike

    "Roy T" <RoyT@discussions.microsoft.com> wrote in message
    news:2123285B-41FB-49EE-B466-D98B29C6B7CD@microsoft.com...
    > Hi All,
    >
    > We have a Domain controller which is also a Terminal Service server, We
    want to give right to the users on the network to access through the Teminal
    Service, but stop them from creating users and other server role. Because
    at the moment, as long as they can access to the terminal service they have
    all the access and right to the server, which is not what we wanted. What
    is the minmium setting to allow terminal service user to access the terminal
    service without any right on the Active Directory, especially creating
    users?
    >
    > Any help will be appreciated!

  • Next message: Karen: "LSASRV warnings"

    Relevant Pages

    • Re: Securing the communication between all workstations in a domain
      ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
      (microsoft.public.win2000.security)
    • Re: IPSEC Problems
      ... You may want to try and rebuild the ipsec policy. ... ipsec negotiation traffic between domain members and domain controllers as ... > this server and any communication was shown correctly in ipsecmon. ...
      (microsoft.public.windows.server.security)
    • RE: Policy for Terminal Service not visible
      ... The settings for Terminal Service and other 2003-specific components are ... The easiest way around this is to copy the system.adm file from a server ... In your Group Policy Object Editor, ...
      (microsoft.public.windows.group_policy)
    • domain users cant logon locally
      ... This is probably caused by the fact that your Windows 2000 ... To find this setting right click the DOmain Controllers OU ... Policy tab, verify that the Default Domain Controllers ... >I have recently installed a new windows 2000 server. ...
      (microsoft.public.win2000.security)
    • Re: Local GPO
      ... > Microsoft's documentation "Windows Server 2003 Group Policy ... Do all kind of servers have Local GPO, ... Server, Standalone Server. ... to use the Default Domain Controllers Policy linked to the Domain ...
      (microsoft.public.windows.group_policy)