how to allow non-administrators to log on to Domain controllers

S

Sudeep Batra

Hi all,



Can someone suggest how to allow non-administrators to log on to Domain controllers.

I have already added the required users to the Log on locally rights in Group policy, in Local Security policy and domain controller security policy but still no effect.



At a second stage I wanted these non-admin to have restricted access to the domain controllers to check eventvwr etc by connecting over Remote Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 
J

Jimmy Andersson [MVP]

Take a look at the 'Deny log on locally' setting so they aren't listed
there.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


You are doing the right thing, all that should be required is to give the
user the log on locally right in the default domain controller policy.
Double check your Group Policies and ensure that the policy is actually
applying. Maybe run the secedit command to force reapplication of the GPO.
If it still doesn't work, do some group policy troubleshooting. dcdiag and
gpotool are good starting points.

To connect to a remote server event log you don't have to terminal services
onto the machine, just use the local event viewer MMC and use this to
connect to another server.

Would the server operators group be sufficient for your purposes?
Hi all,



Can someone suggest how to allow non-administrators to log on to Domain
controllers.

I have already added the required users to the Log on locally rights in
Group policy, in Local Security policy and domain controller security policy
but still no effect.



At a second stage I wanted these non-admin to have restricted access to
the domain controllers to check eventvwr etc by connecting over Remote
Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 
S

Simon Geary

You are doing the right thing, all that should be required is to give the user the log on locally right in the default domain controller policy. Double check your Group Policies and ensure that the policy is actually applying. Maybe run the secedit command to force reapplication of the GPO. If it still doesn't work, do some group policy troubleshooting. dcdiag and gpotool are good starting points.

To connect to a remote server event log you don't have to terminal services onto the machine, just use the local event viewer MMC and use this to connect to another server.

Would the server operators group be sufficient for your purposes?
Hi all,



Can someone suggest how to allow non-administrators to log on to Domain controllers.

I have already added the required users to the Log on locally rights in Group policy, in Local Security policy and domain controller security policy but still no effect.



At a second stage I wanted these non-admin to have restricted access to the domain controllers to check eventvwr etc by connecting over Remote Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 
D

Dmitry Korolyov [MVP]

If you want them RDC to the server, add the users (or the group they are in)
to the Remote Desktop Users group on the server or in the domain, if the
server is a DC.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Hi all,



Can someone suggest how to allow non-administrators to log on to Domain
controllers.

I have already added the required users to the Log on locally rights in
Group policy, in Local Security policy and domain controller security policy
but still no effect.



At a second stage I wanted these non-admin to have restricted access to
the domain controllers to check eventvwr etc by connecting over Remote
Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 
S

Sudeep Batra

Hi Thanks ,but I got Windows 2000 ADS, it doesnt have Remote Desktop Users Group.


/SB


If you want them RDC to the server, add the users (or the group they are in) to the Remote Desktop Users group on the server or in the domain, if the server is a DC.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Hi all,



Can someone suggest how to allow non-administrators to log on to Domain controllers.

I have already added the required users to the Log on locally rights in Group policy, in Local Security policy and domain controller security policy but still no effect.



At a second stage I wanted these non-admin to have restricted access to the domain controllers to check eventvwr etc by connecting over Remote Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 
S

Simon Geary

If you go into RDP properties you can define in there what users are allowed to terminal services on to a server.

Hi Thanks ,but I got Windows 2000 ADS, it doesnt have Remote Desktop Users Group.


/SB


If you want them RDC to the server, add the users (or the group they are in) to the Remote Desktop Users group on the server or in the domain, if the server is a DC.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Hi all,



Can someone suggest how to allow non-administrators to log on to Domain controllers.

I have already added the required users to the Log on locally rights in Group policy, in Local Security policy and domain controller security policy but still no effect.



At a second stage I wanted these non-admin to have restricted access to the domain controllers to check eventvwr etc by connecting over Remote Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 
S

Sudeep Batra

I had already allowed the required user in RDP properties (thru tscc.msc) ,in permissions tab.

What I noticed is the same user can log on to distant DCs which are across the WAN ,however on my two Local LAN DCs,I cannot make them allow.

These two DCs. are having the fsmo roles (schema Master ...etc )

So the problem boils down to inability to allow the non-admin or even say server operators to Log on Locally or via RDP to these two DCs.


So can someone help me further...

Appreciating everyone's response

/SB
If you go into RDP properties you can define in there what users are allowed to terminal services on to a server.

Hi Thanks ,but I got Windows 2000 ADS, it doesnt have Remote Desktop Users Group.


/SB


If you want them RDC to the server, add the users (or the group they are in) to the Remote Desktop Users group on the server or in the domain, if the server is a DC.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Hi all,



Can someone suggest how to allow non-administrators to log on to Domain controllers.

I have already added the required users to the Log on locally rights in Group policy, in Local Security policy and domain controller security policy but still no effect.



At a second stage I wanted these non-admin to have restricted access to the domain controllers to check eventvwr etc by connecting over Remote Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 
D

Dmitry Korolyov [MVP]

Why you cannot allow logon? Are you able to change permissions on RDP
object?

Generally, your users will have to have the following permissions:

at least "User" permission on the terminal server (RDP connection object in
TS configuration)
"Interactive logon" privilege (set in User Rights assignment)
"Log on through terminal services" privilege, if applicable

also make sure that users are not members of appropriate "deny" privileges
on the server - e.g. "Deny interactive logon"

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


I had already allowed the required user in RDP properties (thru tscc.msc)
,in permissions tab.

What I noticed is the same user can log on to distant DCs which are across
the WAN ,however on my two Local LAN DCs,I cannot make them allow.

These two DCs. are having the fsmo roles (schema Master ...etc )

So the problem boils down to inability to allow the non-admin or even say
server operators to Log on Locally or via RDP to these two DCs.


So can someone help me further...

Appreciating everyone's response

/SB
If you go into RDP properties you can define in there what users are
allowed to terminal services on to a server.

Hi Thanks ,but I got Windows 2000 ADS, it doesnt have Remote Desktop
Users Group.


/SB


message If you want them RDC to the server, add the users (or the group they
are in) to the Remote Desktop Users group on the server or in the domain, if
the server is a DC.

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


Hi all,



Can someone suggest how to allow non-administrators to log on to
Domain controllers.

I have already added the required users to the Log on locally
rights in Group policy, in Local Security policy and domain controller
security policy but still no effect.



At a second stage I wanted these non-admin to have restricted
access to the domain controllers to check eventvwr etc by connecting over
Remote Desktop Connection (Terminal Connection,remote admin mode).



regards,



Sudeep
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Migration Woes -the system cannot log you on now because the domain <domain>is not available 1
GPO for Local accounts on DC 1
Unable to Log on to Domain and Local Host 2
Local admin privileges gone haywire 1
Argghhh... 30 Minute Log-in's :-( 11
Allow non-admin user to log off existing locked session 2
Domain User can't login unless it has local Administrators right 0
Local account settings on a domain member server 6

Top