Disable "Allow logon to terminal server"

[Guest]

Is there a way to remotely manage (script, GPO, etc) the local account
property, "Allow logon to terminal server" for local accounts on Windows 2000
servers? The domain is also Windows 2000.

 

[Steven L Umbach]

You could remote in via TS to manage those accounts or use security policy
to manage the user right for "logon locally" which a user will need to
access a TS in W2K. In Windows 2003 that has been changed to a separate user
right called "allow logon through Terminal Services". That can be configured
through Local Security Policy or you can put the computer in an
Organizational Unit with it's own GPO with the logon locally configured to
your needs. User rights are accessible through computer
configuration/Windows settings/security settings/local policies/user rights.
That will not directly configure the user's local account but they can not
logon without the logon locally user right. -- Steve

 

[Guest]

Steve,

Thanks for the response. Let me add a little more background which should
further explain my issue. I need to disable the permission, "Allow logon to
terminal server," for over 2000 administrative service accounts located on
800 servers and due to some archaic applications I can not always remove the
security permission, "logon locally". Manually disabling this property per
account is not an option I can realistically implement.

Also, the member server and domain are all Windows 2000 so I do not have the
TS luxuries provided by Windows 2003 GPOs.

My gut instinct is that there is likely a way to set this account property
via a script but I’ve exhausted several searching trying to find it. Any
additional thoughts would be appreciated…


Thanks for the response. Let me add a little additional background which
should further explain my issue. I need to disable the permission, "Allow
logon to terminal server," for over 2000 accounts located on 700 servers but
in some instance I can not remove the security permission, "logon locally".

 

[Steven L Umbach]

Hmm. I don't know of a way to automate that account property. You might also
want to post in a Terminal Services newsgroup. I don't know how many TS you
have but it might be feasible to take a look at configuring the RDP
permissions on each TS to allow only specified domain groups permissions in
Terminal Services Configuration connections/RDP/properties. If you have
domain servers/computers that you never want to allow access to a TS you
could implement a ipsec filtering policy that uses block filter action to
deny any outbound traffic for port 3389 from that computer. Ipsec policies
can be easily managed via Group Policy computer configuration.--- Steve

 

[Guest]

Steve thanks for your help. Amazingly enough I’ve found a scriptable method
for setting the account property, "Allow logon to terminal server.†I just
came across the Sysinternals tool “TSCMD.exe†which can set this property
along with several other TS account properties.

http://www.systemtools.com/download/tscmd.zip

With the discovery of this tool it will be trivial now to create a VBS or
Batch script to disable this property for any number of local server
accounts. Now the only challenge is monitoring compliance...

 

[Steven L Umbach]

Cool. I use lot of their tools but have never run accross tscmd.exe. Thanks
for posting back with that info! --- Steve