Re: remote desktop rights on domain controller

From: Steven L Umbach (n9rou_at_N0sPaM-comcast.net)
Date: 09/29/04

• Next message: Fei Chua: "Help Microsoft define the next Windows Certificate Server"
• Previous message: Miha Pihler: "Re: Help with Users Permissions"
• In reply to: Roger: "remote desktop rights on domain controller"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 29 Sep 2004 16:29:51 -0500

First of for domain controllers user rights must be configured in Domain
Controller Security Policy - not local policy. The user right for logon
locally should not interefere with networking unless it is denied for users
that use certain types of authentication for IIS web services on a computer
[ basic I believe] . The access this computer from the network and deny
access this computer from the network user rights can definitely ccause
networking problems if configured incorreclty. The "deny" user right
overrides and allow user righ and administrators are part of the user and
everyone groups.

Windows 2003 Servers have a Remote Desktop Users Group that is used to
assign rights for logon by Terminal Services/Remote Desktop so you may also
want to review those user rightrs also. By default in Domain Controller
Security Policy, administrators are included in the logon locally user right
and deny logon locally user right is defined but empty. You may also want to
check that administrators group is included in the Remote Desktop Users
Group on the domain controller if using Windows 2003. --- Steve

"Roger" <rludwig@nospam.co.black-hawk.ia.us> wrote in message
news:OFJNEOmpEHA.1644@tk2msftngp13.phx.gbl...
> In working with a domain controller, I messed up the administrator rights
to
> remotely login with remote desktop. I get the local policy of the system
> does not permit you to logon interactively. I changed the allow log on
> locally in the local policies, but it caused issues in the network so I
> removed that setting. I can do remote desktop on any other server but
this
> one. The interesting part is that the remote desktop works for those I
> assign now on this particular server, but not the administrator. What can
I
> do to fix this?
>
> Maybe demoting this server would regain the rights for the Administrator.
>
> thanks
> Roger
>
>
>

---

• Next message: Fei Chua: "Help Microsoft define the next Windows Certificate Server"
• Previous message: Miha Pihler: "Re: Help with Users Permissions"
• In reply to: Roger: "remote desktop rights on domain controller"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: logon from the server machine ! ... The default Domain Controller policy in Windows Server 2003 does not allow ... Security Policy setting. ... Policies/User Rights Assignment - and add the user to the Allow Local Logon ... (microsoft.public.windows.server.general) Re: Still problems with connecting to FTP site ... On a 2003 machine you can logon with username@domain.com but on the 2000 ... > Because the ftp is not on a Domain controller, ... > you should check domain security policy. ... but I can't login with the domain user account. ... (microsoft.public.inetserver.iis.ftp) Re: logon from the server machine ! ... >The default Domain Controller policy in Windows Server ... >Security Policy setting. ... Allow Local Logon ... (microsoft.public.windows.server.general) Re: Users no longer authenticate on W2k-svr ... the user rights setting in the Local ... Security Policy did it. ... establishing the connection from the RAS server, ... >auditing of logon events on that server and then view the ... (microsoft.public.win2000.networking) Re: Still problems with connecting to FTP site ... How to Enable UPN Logon with Internet Information Services 5.0 ... >> Because the ftp is not on a Domain controller, ... >> you should check domain security policy. ... >> Bernard Cheah ... (microsoft.public.inetserver.iis.ftp)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)