Remote Desktop Logon to Server

[Chaplain Doug]

Windows 2000 Server. I want to allow a remote user to
logon to my server (via remote desktop) for some limited
work. At present, when they try to logon the server
says, "The local policy of this system does not permit you
to logon interactively."

First, what must I change to allow this user to logon to
my server remotely via remote desktop?

Second, how can I restrict the user's activities so that
they are only able to do administrative things on the
server?

Thanks.

 

[Richard G. Harper]

First, it sounds like you have login restrictions on your server, either
from Active Directory or from the local Machine Policies. You need to
change whichever is in force to allow other than Administrator users to log
in.

Your second request is a contradiction in terms. To allow someone
"administrative" access to a server allows them full access.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Chaplain Doug]

Don't know why I chose the word "administrative." Indeed
an apparent contradiction. What I want to do is allow a
person to logon to the server in a restricted mode. I DO
NOT want them to have administrative capabilities.

At present the only way I have been able to make their
remote logon work is to make them a member of the
Administrators group. This is not what I wanted to do. I
want their logon to the server to be a restricted logon
(not super user or administrator). How do I accomplish
this?

I tried placing their user name in the local security
settings-local policies-user rights assignment-log on
locally, but they were still unable to log on after the
change (this was before I put them into the Administrator
group). What else could I try?

-----Original Message-----
First, it sounds like you have login restrictions on your server, either
from Active Directory or from the local Machine Policies. You need to
change whichever is in force to allow other than Administrator users to log
in.

Your second request is a contradiction in terms. To allow someone
"administrative" access to a server allows them full access.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Windows 2000 Server. I want to allow a remote user to
logon to my server (via remote desktop) for some limited
work. At present, when they try to logon the server
says, "The local policy of this system does not permit you
to logon interactively."

First, what must I change to allow this user to logon to
my server remotely via remote desktop?

Second, how can I restrict the user's activities so that
they are only able to do administrative things on the
server?

Thanks.

.

 

[Richard G. Harper]

Go into AD Domain Policies, pick the DC policy and edit it, then change the
User Rights assignments under Local Policies. Add the users you want to be
able to log onto the DCs. Done.

This is a bad, BAD idea; by the way.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Don't know why I chose the word "administrative." Indeed
an apparent contradiction. What I want to do is allow a
person to logon to the server in a restricted mode. I DO
NOT want them to have administrative capabilities.

At present the only way I have been able to make their
remote logon work is to make them a member of the
Administrators group. This is not what I wanted to do. I
want their logon to the server to be a restricted logon
(not super user or administrator). How do I accomplish
this?

I tried placing their user name in the local security
settings-local policies-user rights assignment-log on
locally, but they were still unable to log on after the
change (this was before I put them into the Administrator
group). What else could I try?

-----Original Message-----
First, it sounds like you have login restrictions on your server, either
from Active Directory or from the local Machine Policies. You need to
change whichever is in force to allow other than Administrator users to log
in.

Your second request is a contradiction in terms. To allow someone
"administrative" access to a server allows them full access.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Windows 2000 Server. I want to allow a remote user to
logon to my server (via remote desktop) for some limited
work. At present, when they try to logon the server
says, "The local policy of this system does not permit you
to logon interactively."

First, what must I change to allow this user to logon to
my server remotely via remote desktop?

Second, how can I restrict the user's activities so that
they are only able to do administrative things on the
server?

Thanks.

.

 

[Guest]

Hi -

I have been reading through this post because I am experiencing the same
problem. I have added the user to the Remote Desktop Users group but am
still unable to login via Terminal Services with that account. I am able to
login with the Administrator account.

If adjusting the domain policy is a bad, bad of getting this to work, what
is a better way of doing it?

Thank you.
Rachel

Go into AD Domain Policies, pick the DC policy and edit it, then change the
User Rights assignments under Local Policies. Add the users you want to be
able to log onto the DCs. Done.

This is a bad, BAD idea; by the way.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Don't know why I chose the word "administrative." Indeed
an apparent contradiction. What I want to do is allow a
person to logon to the server in a restricted mode. I DO
NOT want them to have administrative capabilities.

At present the only way I have been able to make their
remote logon work is to make them a member of the
Administrators group. This is not what I wanted to do. I
want their logon to the server to be a restricted logon
(not super user or administrator). How do I accomplish
this?

I tried placing their user name in the local security
settings-local policies-user rights assignment-log on
locally, but they were still unable to log on after the
change (this was before I put them into the Administrator
group). What else could I try?

-----Original Message-----
First, it sounds like you have login restrictions on your server, either
from Active Directory or from the local Machine Policies. You need to
change whichever is in force to allow other than Administrator users to log
in.

Your second request is a contradiction in terms. To allow someone
"administrative" access to a server allows them full access.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Windows 2000 Server. I want to allow a remote user to
logon to my server (via remote desktop) for some limited
work. At present, when they try to logon the server
says, "The local policy of this system does not permit you
to logon interactively."

First, what must I change to allow this user to logon to
my server remotely via remote desktop?

Second, how can I restrict the user's activities so that
they are only able to do administrative things on the
server?

Thanks.


.

 

[Lanwench [MVP - Exchange]]

Hi -

I have been reading through this post because I am experiencing the
same problem. I have added the user to the Remote Desktop Users
group but am still unable to login via Terminal Services with that
account. I am able to login with the Administrator account.

Check the ADUC properties for that user and make sure he/she is allowed to
log in via TS.

If adjusting the domain policy is a bad, bad of getting this to work,
what is a better way of doing it?

I don't think that was his point. The point is, users really should not be
logging into your DC.

Thank you.
Rachel

Go into AD Domain Policies, pick the DC policy and edit it, then
change the User Rights assignments under Local Policies. Add the
users you want to be able to log onto the DCs. Done.

This is a bad, BAD idea; by the way.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Don't know why I chose the word "administrative." Indeed
an apparent contradiction. What I want to do is allow a
person to logon to the server in a restricted mode. I DO
NOT want them to have administrative capabilities.

At present the only way I have been able to make their
remote logon work is to make them a member of the
Administrators group. This is not what I wanted to do. I
want their logon to the server to be a restricted logon
(not super user or administrator). How do I accomplish
this?

I tried placing their user name in the local security
settings-local policies-user rights assignment-log on
locally, but they were still unable to log on after the
change (this was before I put them into the Administrator
group). What else could I try?




-----Original Message-----
First, it sounds like you have login restrictions on your
server, either
from Active Directory or from the local Machine
Policies. You need to
change whichever is in force to allow other than
Administrator users to log
in.

Your second request is a contradiction in terms. To
allow someone
"administrative" access to a server allows them full
access.

--
Richard G. Harper [MVP Win9x] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not
replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Chaplain Doug" <[email protected]>
wrote in message
Windows 2000 Server. I want to allow a remote user to
logon to my server (via remote desktop) for some limited
work. At present, when they try to logon the server
says, "The local policy of this system does not permit
you
to logon interactively."

First, what must I change to allow this user to logon to
my server remotely via remote desktop?

Second, how can I restrict the user's activities so that
they are only able to do administrative things on the
server?

Thanks.


.

 

[Richard G. Harper]

Inline:

"Lanwench [MVP - Exchange]"

Check the ADUC properties for that user and make sure he/she is allowed to
log in via TS.

Yep, I agree.

I don't think that was his point. The point is, users really should not be
logging into your DC.

That was also the point - DCs should not be used by users. DCs should
barely be used by administrators - only enough to keep them running.

THANKS!!

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Guest]

Hi -

Thank you for the response. Yes, the user IS allowed to login via TS.

Should the user be logging in to the TS or the domain? In my Remote Desktop
window, I have the option to login to "this computer" - the TS or a domain.
Should the user be logging into "this computer" or the domain?

Thank you !
Rachel

Inline:

"Lanwench [MVP - Exchange]"

Check the ADUC properties for that user and make sure he/she is allowed to
log in via TS.

Yep, I agree.

I don't think that was his point. The point is, users really should not be
logging into your DC.

That was also the point - DCs should not be used by users. DCs should
barely be used by administrators - only enough to keep them running.

THANKS!!

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Lanwench [MVP - Exchange]]

Hi -

Thank you for the response. Yes, the user IS allowed to login via TS.

Should the user be logging in to the TS or the domain? In my Remote
Desktop window, I have the option to login to "this computer" - the
TS or a domain. Should the user be logging into "this computer" or
the domain?

I presume they don't have a local account on this server, so it should be
the domain. I also presume this is a member server dedicated to Terminal
Services in application mode, and you have TS licensing set up properly?

Thank you !
Rachel

Inline:

"Lanwench [MVP - Exchange]"

Rachel L Chipman wrote:
Hi -

I have been reading through this post because I am experiencing the
same problem. I have added the user to the Remote Desktop Users
group but am still unable to login via Terminal Services with that
account. I am able to login with the Administrator account.

Check the ADUC properties for that user and make sure he/she is
allowed to log in via TS.

Yep, I agree.

If adjusting the domain policy is a bad, bad of getting this to
work, what is a better way of doing it?

I don't think that was his point. The point is, users really should
not be logging into your DC.

That was also the point - DCs should not be used by users. DCs
should barely be used by administrators - only enough to keep them
running.

THANKS!!

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Guest]

Hi -

Yes, both assumptions listed below are correct.

Hi -

Thank you for the response. Yes, the user IS allowed to login via TS.

Should the user be logging in to the TS or the domain? In my Remote
Desktop window, I have the option to login to "this computer" - the
TS or a domain. Should the user be logging into "this computer" or
the domain?

I presume they don't have a local account on this server, so it should be
the domain. I also presume this is a member server dedicated to Terminal
Services in application mode, and you have TS licensing set up properly?

Thank you !
Rachel

Inline:

"Lanwench [MVP - Exchange]"
message Rachel L Chipman wrote:
Hi -

I have been reading through this post because I am experiencing the
same problem. I have added the user to the Remote Desktop Users
group but am still unable to login via Terminal Services with that
account. I am able to login with the Administrator account.

Check the ADUC properties for that user and make sure he/she is
allowed to log in via TS.


Yep, I agree.

If adjusting the domain policy is a bad, bad of getting this to
work, what is a better way of doing it?

I don't think that was his point. The point is, users really should
not be logging into your DC.


That was also the point - DCs should not be used by users. DCs
should barely be used by administrators - only enough to keep them
running.

THANKS!!

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm