Solved

Terminal Services Server - Software requires local administrator rights to run

Posted on 2007-12-06
13
4,385 Views
Last Modified: 2012-05-05
Hello Everyone,
I am setting up terminal services for 10 users to connect to a remote server and run an application called Medisoft.  The application requires local administrator privileges to run which would be fine if the machine was running XP, but it's not.  First, I attempted to setup the software and terminal services on a NAS box running Storage Server 2003.  I created users in active directory and then added user accounts with the same name through users and groups.  Unfortunately, there was no location in Storage Server Users and Groups to select "from this location" so I couldn't add domain users to the local administrators group (also tried using the "\DOMAIN\user" format, but it didn't work).  Even when giving the users full administrator access through active directory and logging in, they still weren't able to run the software.  Decided to run the software on the Server 2003 unit instead.  The problem I'm having is that the software won't work unless the user account is a member of the administrators group (defined through AD).  I don't want to give them that much access on my server, I just want them to be able to access this one application.  I've created a group for these users and could add the group to the Default Domain Controller Security Settings/Local Policies, but I don't know what policies they need to be added to.  Is there a way on Storage server to add domain users as local administrators or a way in Server 2003 to give terminal services users local administrator rights without making them full administrators?
0
Comment
Question by:GroundHawg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:GCD1
ID: 20423216
Would it be possible to open the program on the Terminal Server using the "runas" command?

More detail available here if you have never used it:

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true

You could run it with the local computer administrator under the /user flag.
0
 
LVL 5

Accepted Solution

by:
Nicholas Iler earned 500 total points
ID: 20423231
Sounds like a rights issue. Have you tried adding these domain users to the "C:\Program Files\Medisoft\" and giving them full access as a test?

Also, you can use Group Policy "Restricted Groups" and add these users to the local groups on your server.

You should also be able to just enter them manually through "Computer Management" since there is only one server. We used Restricted Groups when we needed to add users to local groups on more than 100 systems. Took about 5 min !-)
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 20423242
What you need to do is put the application on a server that is a member server instead of a DC.  If you're using it as a terminal server, the server should not be a DC anyway.  A member server has a local administrators group that you could add the users to.  Not that I would recommend that, but if that's the only way you can get the application to run, I suppose you have to do it.  If it were me, I would put it on a completely separate member server and limit user access as much as you can through group policies - for example, don't allow them to shut down the terminal server, etc.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:GroundHawg
ID: 20423308
Although the runas command does allow the user to run the software with administrator privileges it would require me to provide the user with an administrator password.  I supposed I could create a shortcut to the application using the "runas" command and then create a different account with administrator privileges and provide them with that administrator password.  However, a savvy user could easily edit the shortcut and then have an administrator login to the server.
0
 

Author Comment

by:GroundHawg
ID: 20423356
hypercat,
This was the first thing I tried to do, however, we don't have a member server running full blown server.  It is running Storage Server 2003.  Do you know if how to add domain user accounts to a local administrator group on Storage Server 2003?  Through users and groups there is no location to select "From this location" so you can specify active directory.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 20423460
Unfortunately I'm not familiar with the Storage Server configuration.  Can you even run terminal services on this version?
0
 

Author Comment

by:GroundHawg
ID: 20423479
Nickiler,
Providing the user group that I'd placed these terminal services users in full control over the Program Files directory solved the problem.  I forgot to even think about this because the software developers told me the users had to have local adminstrator rights!  Adding that same user group to restricted groups to prevent them from screwing with the server was also a good idea which I've just implemented.  Thanks for the help, I'm awarding you the points.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20423517
Glad to hear this worked for you. We have lots of users that require special software so I've dealt with lots of rights related issues lately !-)
0
 

Author Comment

by:GroundHawg
ID: 20423548
Nickiler,
What happens if you add a group to restricted groups?
0
 

Author Comment

by:GroundHawg
ID: 20423568
I misunderstood and was under the impression that you were referring to adding the group I created to each of the respective group policies.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20424014
The name is very misleading and it took me some time to understand myself.

I am not sure how this feature could help you further since your issue is resolved. I can tell you how we used "Restricted Groups".

We used this feature to disable all non-domain accounts on our client systems. We added an entry for "Users" and added "Domain Users" therefore initiating the Group Policy to disable all local user accounts instantly and allowing only "Domain Users" as local accounts.

We use Terminal Services and some have tried to log in locally to dip below our radar. This was our solution to this since all the computers had random local users and it would have taken forever to manually disable them.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20424030
This is where I originally discovered this feature:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:GroundHawg
ID: 20428200
Thanks for the help.  Good article, but you are correct restricted groups aren't necessary in my situation.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question