Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Terminal Server 2003 and logon rights (locally/terminal/remote desktop users)

Posted on 2006-10-31
12
824 Views
Last Modified: 2008-01-09
Situation: One Windows Server 2003 R2 configured as Domain Controller, Terminal Server, File, Print, DHCP, DNS etc. This is the only server in a closed network, as in not connected to the internet, and it will have 6 thin clients (Wyse V30) connected to it.

I've got the good ol' problem when trying to logon as a normal user to the Terminal Server with the RDP client in Wyse:

"To log on to this remote computer, you must hatve Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop User group have these permissions. If you are not a member of the Remote Desktop User group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually."

Ok - I can read. I could add all my users to the "Remote Desktop User", but this is just extra work each time a user is added to the system. I want all domain users (and admins) to be able to log on and want this as a default setting. I've read I need to allow BOTH locally and TS logins. SO, I made two GPOs:

1) Comp Security - Allow Log On Locally Policy:
Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment:
Allow log on locally ==> MYDOMAIN\Domain Users, MYDOMAIN\Domain Admins, BUILTIN\Administrators

2) Comp Security - Allow Log On Terminal Server:
Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment:
Allow log on through Terminal Services ==> MYDOMAIN\Domain Users, MYDOMAIN\Domain Admins, BUILTIN\Administrators

I then linked them into the "Domain Controllers" OU. But that did not work :( Why? Should it be linked to another OU instead? the entire domain (MYDOMAIN.local)? Or perhaps on "users OU"?
0
Comment
Question by:Secode
  • 5
  • 5
  • 2
12 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 17841121
Check the policy in Deny logon locally also.You must do these settings in Domain Controller policy.Hope this helps
0
 
LVL 1

Author Comment

by:Secode
ID: 17841287
All I find in "Default Domain Controllers Policy" is:
Deny log on locally ==> MYDOMAIN\SUPPORT_######## (8 numbers and letters)

My two GPOs does not have "Deny log on locally" and "Deny log on through Terminal Services" set, they are "Not configured"

I also know I can add Domain Users to the terminal service itself, but as I've tried to explain, I want to keep things clean and configured through GPOs.
0
 
LVL 14

Assisted Solution

by:inbarasan
inbarasan earned 100 total points
ID: 17841368
if it is not configured in GPO then it will use local settings of the server. So run this command gpedit.msc on your run prompt and check if there are any settings
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 1

Author Comment

by:Secode
ID: 17841402
My Local Policy states the following users in "Allow log on locally" and "Allow log on through Terminal Services":
-Domain Users
-Domain Administrator
-Administrator

"Deny log on locally" ==> MYDOMAIN\SUPPORT_######## (8 numbers and letters)  <-- same as the Domain Default GPO

"Deny log on through Terminal Services" ==> Guests
0
 
LVL 1

Author Comment

by:Secode
ID: 17841622
I just thought of something..

The reason for users belonging to the Remote Desktop Users is because that group is in the permissions list of the Terminal Service. And if I don't add Domain Users to this list, I'll probably never going to get RDP logon, even with my GPO settings?

.. right?

It works fine if I add Domain Users to the Terminal Service Permission list, even without my two GPOs...!!!?!


Arg.. I'm confused.. is it possible to controll access to TS with GPO only?
0
 
LVL 8

Expert Comment

by:caddlady
ID: 17841735
Yes, you are correct, If the users or group are not in the Remote Desktop Users Group - they will not be able to logon.
0
 
LVL 8

Expert Comment

by:caddlady
ID: 17841739
It is like setting an OU to be an Administrator in the GPO but not adding them to the Administrator Group.
0
 
LVL 1

Author Comment

by:Secode
ID: 17841788
caddlady - 1st comment: Well.. I don't want to use the Remote Desktop User Group, since then I have to do one more thing when I add a user to the domain; read: add user to the Remote Desktop User Group. So I added the Domain Users Group to the permission list for TS. Then I don't have to think about adding users to a group to allow TS connection, they will get it automatically. I do this since the users only have a thin client so the server is all they have to work on. This should work fine, don't you think? (I've more or less confirmed it..)

0
 
LVL 8

Expert Comment

by:caddlady
ID: 17841810
That should do it!

Here is a good document from Microsoft about Terminal Services:  
http://download.microsoft.com/download/8/2/f/82f0bbb9-1c53-4f2b-8a6a-9864cb4c73a5/TSWhatsNew.doc
0
 
LVL 8

Accepted Solution

by:
caddlady earned 400 total points
ID: 17841828
Since the entire network is not connected to the outside world and every user you add needs access, I see no harm in using that wide of a spectrum as all Domain Users.
0
 
LVL 1

Author Comment

by:Secode
ID: 17841874
One last question.. Since this is a one server,closed network situation and only thin clients.. is there no need for my two GPOs? I have removed them and I am allowed to log in from the thin client still :)
0
 
LVL 8

Expert Comment

by:caddlady
ID: 17842020
They are very handy when you need to manange and deploy security, applications, etc., but, if you do not need to manage anything with them, dont use them.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Screen Mirroring 7 76
How to migrate from 2003 SBS to 2012 R2 as DC? 1 64
Access denied running PowerPivot -SQL Server 2014 on Windows Server 2012 10 50
Enterprise Mode 4 47
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question