Terminal Services (Administration mode) Security

user

Splendid
Dec 26, 2003
3,944
0
22,780
0
Archived from groups: microsoft.public.win2000.security (More info?)

I have an AD group 'RDPaccess' consisting of users from two domains: the
local domain and it's parent domain. I have added this group with full
access to the RDP connection in the Terminal Services Configuration
application on the Win2K server.

Using the remote desktop client:
Attempting to log in as a non-administrative user from the parent domain I
get the error 'You do not have permissions to log onto this session'. I
then added the RDPaccess group to the local machine administrators group
(just to see if the situation didn't improve) no dice.

I can however log onto the server using an administrative login from the
parent domain, and a non-administrative login (still a member of RDPaccess)
in the local domain.

Am I missing something? Any suggestions?

Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

On the Windows 2000 Terminal Server add your group to the logon locally user
right . Do that in Local Security Policy for a domain member and you would
have to do that in Domain Controller Security Policy for domain controllers.
Look under security settings/local policies/user rights. If the server is a
domain controller you may want to put in a child OU to the domain
controllers OU and then configure that user right via a GPO for that OU.
That will prevent that group from being able to logon to all domain
controllers locally. If you do such be sure administrators is also included
in the logon locally user right. Keep in mind that any "deny" user right
will override any "allow" user right and that administrators are also
members of the users and everyone groups. If you are doing this to a non
domain controller, be sure that the local setting equals the effective
setting after refreshing the policy. If it does not, there is a domain/OU
policy overriding the local policy. --- Steve


<Navigato> wrote in message news:uooq4iJrEHA.1152@TK2MSFTNGP11.phx.gbl...
>I have an AD group 'RDPaccess' consisting of users from two domains: the
> local domain and it's parent domain. I have added this group with full
> access to the RDP connection in the Terminal Services Configuration
> application on the Win2K server.
>
> Using the remote desktop client:
> Attempting to log in as a non-administrative user from the parent domain I
> get the error 'You do not have permissions to log onto this session'. I
> then added the RDPaccess group to the local machine administrators group
> (just to see if the situation didn't improve) no dice.
>
> I can however log onto the server using an administrative login from the
> parent domain, and a non-administrative login (still a member of
> RDPaccess)
> in the local domain.
>
> Am I missing something? Any suggestions?
>
> Thanks!
>
>
 

user

Splendid
Dec 26, 2003
3,944
0
22,780
0
Archived from groups: microsoft.public.win2000.security (More info?)

Steve Thanks! I figured my first issue was the delay in replication since
the child domain is half way around the world :) Second issue is just like
you said - If not specifically allowed the 'log on locally' user right on
the member servers the login is rejected. Since administrators have this
capability when I added the group to the administrators of the local machine
the problem was solved. (These folks will need admin access anyways).

Rock on!

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:FCi9d.140637$wV.138303@attbi_s54...
> On the Windows 2000 Terminal Server add your group to the logon locally
user
> right . Do that in Local Security Policy for a domain member and you would
> have to do that in Domain Controller Security Policy for domain
controllers.
> Look under security settings/local policies/user rights. If the server is
a
> domain controller you may want to put in a child OU to the domain
> controllers OU and then configure that user right via a GPO for that OU.
> That will prevent that group from being able to logon to all domain
> controllers locally. If you do such be sure administrators is also
included
> in the logon locally user right. Keep in mind that any "deny" user right
> will override any "allow" user right and that administrators are also
> members of the users and everyone groups. If you are doing this to a non
> domain controller, be sure that the local setting equals the effective
> setting after refreshing the policy. If it does not, there is a domain/OU
> policy overriding the local policy. --- Steve
>
>
> <Navigato> wrote in message news:uooq4iJrEHA.1152@TK2MSFTNGP11.phx.gbl...
> >I have an AD group 'RDPaccess' consisting of users from two domains: the
> > local domain and it's parent domain. I have added this group with full
> > access to the RDP connection in the Terminal Services Configuration
> > application on the Win2K server.
> >
> > Using the remote desktop client:
> > Attempting to log in as a non-administrative user from the parent domain
I
> > get the error 'You do not have permissions to log onto this session'. I
> > then added the RDPaccess group to the local machine administrators group
> > (just to see if the situation didn't improve) no dice.
> >
> > I can however log onto the server using an administrative login from the
> > parent domain, and a non-administrative login (still a member of
> > RDPaccess)
> > in the local domain.
> >
> > Am I missing something? Any suggestions?
> >
> > Thanks!
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Glad you go it working. Just keep in mind that you do not have to make the
users local administrators to allow then to logon locally and that could
give users a lot more rights that needed to mess things up. --- Steve


<Navigato> wrote in message news:OO$owaUrEHA.644@tk2msftngp13.phx.gbl...
> Steve Thanks! I figured my first issue was the delay in replication since
> the child domain is half way around the world :) Second issue is just
> like
> you said - If not specifically allowed the 'log on locally' user right on
> the member servers the login is rejected. Since administrators have this
> capability when I added the group to the administrators of the local
> machine
> the problem was solved. (These folks will need admin access anyways).
>
> Rock on!
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:FCi9d.140637$wV.138303@attbi_s54...
>> On the Windows 2000 Terminal Server add your group to the logon locally
> user
>> right . Do that in Local Security Policy for a domain member and you
>> would
>> have to do that in Domain Controller Security Policy for domain
> controllers.
>> Look under security settings/local policies/user rights. If the server is
> a
>> domain controller you may want to put in a child OU to the domain
>> controllers OU and then configure that user right via a GPO for that OU.
>> That will prevent that group from being able to logon to all domain
>> controllers locally. If you do such be sure administrators is also
> included
>> in the logon locally user right. Keep in mind that any "deny" user right
>> will override any "allow" user right and that administrators are also
>> members of the users and everyone groups. If you are doing this to a non
>> domain controller, be sure that the local setting equals the effective
>> setting after refreshing the policy. If it does not, there is a domain/OU
>> policy overriding the local policy. --- Steve
>>
>>
>> <Navigato> wrote in message news:uooq4iJrEHA.1152@TK2MSFTNGP11.phx.gbl...
>> >I have an AD group 'RDPaccess' consisting of users from two domains: the
>> > local domain and it's parent domain. I have added this group with full
>> > access to the RDP connection in the Terminal Services Configuration
>> > application on the Win2K server.
>> >
>> > Using the remote desktop client:
>> > Attempting to log in as a non-administrative user from the parent
>> > domain
> I
>> > get the error 'You do not have permissions to log onto this session'.
>> > I
>> > then added the RDPaccess group to the local machine administrators
>> > group
>> > (just to see if the situation didn't improve) no dice.
>> >
>> > I can however log onto the server using an administrative login from
>> > the
>> > parent domain, and a non-administrative login (still a member of
>> > RDPaccess)
>> > in the local domain.
>> >
>> > Am I missing something? Any suggestions?
>> >
>> > Thanks!
>> >
>> >
>>
>>
>
>
 

ASK THE COMMUNITY