Server Operators - can not logon

G

Guest

Hi,

I'm trying to allow a support person to logon on via TS to a Win2003 DC in
order to create shares and shut it down if necessary (the server is a
combined DC and File&Print server in another country).

I've added the user to every group under the sun, but the only way to get a
TS logon to work appears to be to make him a domain admin.

Am I being realy dumb ? Have I missed something obvious ?

More Info:
The user ServerUser: is a member of "server operators", "backup ops",
"printer ops"
If have modified the DC GPO so that each of these groups can "log on
locally" and "log on via TS" (NB: I allowed ServerUser to log on to member
servers by modifying the member server GPO this way, so thought this would
work).

I've found a TechNet article (KB267553) that talks about adding
tsInternetUser for Pre Win2000 access. Now my given domain is entirely WinXP
clients, Win2K3 (DC's 2003 native) and a few Win2Ksp4 member servers, I
should not need to do this.

But when I tried this in my test domain it it worked ! - am I opening some
massive security hole by doing this ?

Any help or suggestions appreciated.
Thanks in advance.
 
G

Guest

Update.

This user CAN logon to the console of a DC - but he still can not logon via
TS.

But, I thought that a "Server Operator" had the rights to shut down a server ?

Help....................!
 
D

Doug Gabbard

There is a "Remote Desktop Users" group you need to add them to. You
will find the group in the BUILTIN container in AD Users and Computers.
 
A

Anthony Yates

This is a Terminal Server restriction when running in Administration mode.
It only allows Administrators, and only two connections.
Anthony
 
P

ptwilliams

You can grant the appropriate permissions on the RDP connection I believe.

Add the user/ group to the Terminal Services Configuration\ Connections\
RDP-Tcp - properties - security DACL.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


This is a Terminal Server restriction when running in Administration mode.
It only allows Administrators, and only two connections.
Anthony
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

What could cause this 'administrator' to experience "unable to logon locally" ? 2
Windows 2000 logon process 6
AD Sites and Terminal Server Logon 1
About security policy on terminal server 2
NT 4 domain clients authenticating to AD member server 1
Backup Operators 1
Win2000 DC logon with domain admin account problem 3
can't logon to domain, RPC service is unavailable 1

Top