Terminal Services (Administration mode) Security

G

Guest

I have an AD group 'RDPaccess' consisting of users from two domains: the
local domain and it's parent domain. I have added this group with full
access to the RDP connection in the Terminal Services Configuration
application on the Win2K server.

Using the remote desktop client:
Attempting to log in as a non-administrative user from the parent domain I
get the error 'You do not have permissions to log onto this session'. I
then added the RDPaccess group to the local machine administrators group
(just to see if the situation didn't improve) no dice.

I can however log onto the server using an administrative login from the
parent domain, and a non-administrative login (still a member of RDPaccess)
in the local domain.

Am I missing something? Any suggestions?

Thanks!
 
S

Steven L Umbach

On the Windows 2000 Terminal Server add your group to the logon locally user
right . Do that in Local Security Policy for a domain member and you would
have to do that in Domain Controller Security Policy for domain controllers.
Look under security settings/local policies/user rights. If the server is a
domain controller you may want to put in a child OU to the domain
controllers OU and then configure that user right via a GPO for that OU.
That will prevent that group from being able to logon to all domain
controllers locally. If you do such be sure administrators is also included
in the logon locally user right. Keep in mind that any "deny" user right
will override any "allow" user right and that administrators are also
members of the users and everyone groups. If you are doing this to a non
domain controller, be sure that the local setting equals the effective
setting after refreshing the policy. If it does not, there is a domain/OU
policy overriding the local policy. --- Steve
 
G

Guest

Steve Thanks! I figured my first issue was the delay in replication since
the child domain is half way around the world :) Second issue is just like
you said - If not specifically allowed the 'log on locally' user right on
the member servers the login is rejected. Since administrators have this
capability when I added the group to the administrators of the local machine
the problem was solved. (These folks will need admin access anyways).

Rock on!
 
S

Steven L Umbach

Glad you go it working. Just keep in mind that you do not have to make the
users local administrators to allow then to logon locally and that could
give users a lot more rights that needed to mess things up. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Child/Parent Domain sanity Check 3
Can't assign "log on locally" right 1
HELP !!! User cannot log into the Terminal Server 2
Domain authentication issues ... 9
lost right to logon interactively 2
Users should not shutdown or restart servers 2
"enterprise admins" member of local domain administrators ?! 2
is there a policy to stop users from connnecting local drives in RDP session 2

Top