Solved

Terminal Services Server - Software requires local administrator rights to run

Posted on 2007-12-06
13
4,397 Views
Last Modified: 2012-05-05
Hello Everyone,
I am setting up terminal services for 10 users to connect to a remote server and run an application called Medisoft.  The application requires local administrator privileges to run which would be fine if the machine was running XP, but it's not.  First, I attempted to setup the software and terminal services on a NAS box running Storage Server 2003.  I created users in active directory and then added user accounts with the same name through users and groups.  Unfortunately, there was no location in Storage Server Users and Groups to select "from this location" so I couldn't add domain users to the local administrators group (also tried using the "\DOMAIN\user" format, but it didn't work).  Even when giving the users full administrator access through active directory and logging in, they still weren't able to run the software.  Decided to run the software on the Server 2003 unit instead.  The problem I'm having is that the software won't work unless the user account is a member of the administrators group (defined through AD).  I don't want to give them that much access on my server, I just want them to be able to access this one application.  I've created a group for these users and could add the group to the Default Domain Controller Security Settings/Local Policies, but I don't know what policies they need to be added to.  Is there a way on Storage server to add domain users as local administrators or a way in Server 2003 to give terminal services users local administrator rights without making them full administrators?
0
Comment
Question by:GroundHawg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:GCD1
ID: 20423216
Would it be possible to open the program on the Terminal Server using the "runas" command?

More detail available here if you have never used it:

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true

You could run it with the local computer administrator under the /user flag.
0
 
LVL 5

Accepted Solution

by:
Nicholas Iler earned 500 total points
ID: 20423231
Sounds like a rights issue. Have you tried adding these domain users to the "C:\Program Files\Medisoft\" and giving them full access as a test?

Also, you can use Group Policy "Restricted Groups" and add these users to the local groups on your server.

You should also be able to just enter them manually through "Computer Management" since there is only one server. We used Restricted Groups when we needed to add users to local groups on more than 100 systems. Took about 5 min !-)
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 20423242
What you need to do is put the application on a server that is a member server instead of a DC.  If you're using it as a terminal server, the server should not be a DC anyway.  A member server has a local administrators group that you could add the users to.  Not that I would recommend that, but if that's the only way you can get the application to run, I suppose you have to do it.  If it were me, I would put it on a completely separate member server and limit user access as much as you can through group policies - for example, don't allow them to shut down the terminal server, etc.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:GroundHawg
ID: 20423308
Although the runas command does allow the user to run the software with administrator privileges it would require me to provide the user with an administrator password.  I supposed I could create a shortcut to the application using the "runas" command and then create a different account with administrator privileges and provide them with that administrator password.  However, a savvy user could easily edit the shortcut and then have an administrator login to the server.
0
 

Author Comment

by:GroundHawg
ID: 20423356
hypercat,
This was the first thing I tried to do, however, we don't have a member server running full blown server.  It is running Storage Server 2003.  Do you know if how to add domain user accounts to a local administrator group on Storage Server 2003?  Through users and groups there is no location to select "From this location" so you can specify active directory.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 20423460
Unfortunately I'm not familiar with the Storage Server configuration.  Can you even run terminal services on this version?
0
 

Author Comment

by:GroundHawg
ID: 20423479
Nickiler,
Providing the user group that I'd placed these terminal services users in full control over the Program Files directory solved the problem.  I forgot to even think about this because the software developers told me the users had to have local adminstrator rights!  Adding that same user group to restricted groups to prevent them from screwing with the server was also a good idea which I've just implemented.  Thanks for the help, I'm awarding you the points.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20423517
Glad to hear this worked for you. We have lots of users that require special software so I've dealt with lots of rights related issues lately !-)
0
 

Author Comment

by:GroundHawg
ID: 20423548
Nickiler,
What happens if you add a group to restricted groups?
0
 

Author Comment

by:GroundHawg
ID: 20423568
I misunderstood and was under the impression that you were referring to adding the group I created to each of the respective group policies.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20424014
The name is very misleading and it took me some time to understand myself.

I am not sure how this feature could help you further since your issue is resolved. I can tell you how we used "Restricted Groups".

We used this feature to disable all non-domain accounts on our client systems. We added an entry for "Users" and added "Domain Users" therefore initiating the Group Policy to disable all local user accounts instantly and allowing only "Domain Users" as local accounts.

We use Terminal Services and some have tried to log in locally to dip below our radar. This was our solution to this since all the computers had random local users and it would have taken forever to manually disable them.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20424030
This is where I originally discovered this feature:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:GroundHawg
ID: 20428200
Thanks for the help.  Good article, but you are correct restricted groups aren't necessary in my situation.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question