Re: Logon Using Terminal Services GPO

From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
Date: Thu, 16 Aug 2007 11:13:33 +0200

You can create a GPO that only apply to this DC.
Use GPMC if not already.
Add a security filtering on the GPO, so it apply only to this DC.

Take care, being admin of DC means admin of the Domain. They may change your GPO to get full access anyway

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com

"Mathew V" <mvlandys@xxxxxxxxx> wrote in message news:1187247447.765096.311480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi All,
I've searching high and low for an answer but it doesn't look like
anyone has asked this question before. The company I work for has 5
domain controllers (all in separate locations - Aus, UK, India etc).
The company's main IT Dept (who I work for) admins all these servers,
though recently we have employed some systems admin contractors to
look after the AD servers in India.

The server is in a rack with no monitor attached so the only way for
these guys to log in is via RDP/Terminal Services. I have added their
user account in "Domain Controller Security Policy" -> "User Rights
Assignment" -> "Allow log on through Terminal Services".

So now they can logon remotely and administer the server (check event
logs, create users etc). I have also given them the right to shut down
the server, as from time to time they may need to bounce the server
for hardware upgrades etc.

Though I do not want them having RDP access or shutdown other servers
within the domain. Unfortunately the GPOs that I've edited give these
users those permissions throughout all domain controllers.

Is there a way to specify which domain controllers I want these users
to be able to RDP & shutdown.

Follow-Ups:
- Re: Logon Using Terminal Services GPO
  - From: Roger Abell [MVP]

References:
- Logon Using Terminal Services GPO
  - From: Mathew V

Prev by Date: Re: Microsoft PKI: problem with autoenrollment for domain controllers
Next by Date: Re: Permit only one network logon per user
Previous by thread: Logon Using Terminal Services GPO
Next by thread: Re: Logon Using Terminal Services GPO
Index(es):
- Date
- Thread

Relevant Pages

Re: WTS 2003: Unable to login to WTS even as administrator
... Please check every GPO. ... Admin and start a TS-Session from the Server to itself. ... also for a Setting that denys normal User a logon localy at the DC. ...
(microsoft.public.windows.terminal_services)
Locked out of Server 2003!! Help!!!!
... Server 2003 at the backend. ... tried to apply to the Domain Controllers. ... Where the GPO has successfully ... it tells me that the user must be a member of the "Remote Desktop Users" ...
(microsoft.public.windows.terminal_services)
Re: 2008 DC 2003 GPO applied
... All DCs MUST be in the Domain controllers OU, do not move them out there. ... So move it back first and then i would restart the server. ... A GPO from 2003 configured should not be the problem normally. ...
(microsoft.public.windows.server.active_directory)
RE: Win2K3 PDC not acting as time server
... You can try to set a GPO for Domain Controllers to use "AllSync" and point ... to a external time server. ... Then set a GPO on domain level to use NT5DS synchronization. ... > synchronize with an external time source. ...
(microsoft.public.windows.server.migration)
Re: User Accounts
... I assume this is a domain environment, so install GPMC on the 2003 server and start it. ... Also they do not have an admin, ... Is there any other options beside the GPO to allow access. ... in the internet explorer properties the connection tab is not there. ...
(microsoft.public.windows.server.setup)