Solved

Terminal Services Server - Software requires local administrator rights to run

Posted on 2007-12-06
13
4,369 Views
Last Modified: 2012-05-05
Hello Everyone,
I am setting up terminal services for 10 users to connect to a remote server and run an application called Medisoft.  The application requires local administrator privileges to run which would be fine if the machine was running XP, but it's not.  First, I attempted to setup the software and terminal services on a NAS box running Storage Server 2003.  I created users in active directory and then added user accounts with the same name through users and groups.  Unfortunately, there was no location in Storage Server Users and Groups to select "from this location" so I couldn't add domain users to the local administrators group (also tried using the "\DOMAIN\user" format, but it didn't work).  Even when giving the users full administrator access through active directory and logging in, they still weren't able to run the software.  Decided to run the software on the Server 2003 unit instead.  The problem I'm having is that the software won't work unless the user account is a member of the administrators group (defined through AD).  I don't want to give them that much access on my server, I just want them to be able to access this one application.  I've created a group for these users and could add the group to the Default Domain Controller Security Settings/Local Policies, but I don't know what policies they need to be added to.  Is there a way on Storage server to add domain users as local administrators or a way in Server 2003 to give terminal services users local administrator rights without making them full administrators?
0
Comment
Question by:GroundHawg
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 6

Expert Comment

by:GCD1
ID: 20423216
Would it be possible to open the program on the Terminal Server using the "runas" command?

More detail available here if you have never used it:

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true

You could run it with the local computer administrator under the /user flag.
0
 
LVL 5

Accepted Solution

by:
Nicholas Iler earned 500 total points
ID: 20423231
Sounds like a rights issue. Have you tried adding these domain users to the "C:\Program Files\Medisoft\" and giving them full access as a test?

Also, you can use Group Policy "Restricted Groups" and add these users to the local groups on your server.

You should also be able to just enter them manually through "Computer Management" since there is only one server. We used Restricted Groups when we needed to add users to local groups on more than 100 systems. Took about 5 min !-)
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 20423242
What you need to do is put the application on a server that is a member server instead of a DC.  If you're using it as a terminal server, the server should not be a DC anyway.  A member server has a local administrators group that you could add the users to.  Not that I would recommend that, but if that's the only way you can get the application to run, I suppose you have to do it.  If it were me, I would put it on a completely separate member server and limit user access as much as you can through group policies - for example, don't allow them to shut down the terminal server, etc.
0
 

Author Comment

by:GroundHawg
ID: 20423308
Although the runas command does allow the user to run the software with administrator privileges it would require me to provide the user with an administrator password.  I supposed I could create a shortcut to the application using the "runas" command and then create a different account with administrator privileges and provide them with that administrator password.  However, a savvy user could easily edit the shortcut and then have an administrator login to the server.
0
 

Author Comment

by:GroundHawg
ID: 20423356
hypercat,
This was the first thing I tried to do, however, we don't have a member server running full blown server.  It is running Storage Server 2003.  Do you know if how to add domain user accounts to a local administrator group on Storage Server 2003?  Through users and groups there is no location to select "From this location" so you can specify active directory.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 20423460
Unfortunately I'm not familiar with the Storage Server configuration.  Can you even run terminal services on this version?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:GroundHawg
ID: 20423479
Nickiler,
Providing the user group that I'd placed these terminal services users in full control over the Program Files directory solved the problem.  I forgot to even think about this because the software developers told me the users had to have local adminstrator rights!  Adding that same user group to restricted groups to prevent them from screwing with the server was also a good idea which I've just implemented.  Thanks for the help, I'm awarding you the points.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20423517
Glad to hear this worked for you. We have lots of users that require special software so I've dealt with lots of rights related issues lately !-)
0
 

Author Comment

by:GroundHawg
ID: 20423548
Nickiler,
What happens if you add a group to restricted groups?
0
 

Author Comment

by:GroundHawg
ID: 20423568
I misunderstood and was under the impression that you were referring to adding the group I created to each of the respective group policies.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20424014
The name is very misleading and it took me some time to understand myself.

I am not sure how this feature could help you further since your issue is resolved. I can tell you how we used "Restricted Groups".

We used this feature to disable all non-domain accounts on our client systems. We added an entry for "Users" and added "Domain Users" therefore initiating the Group Policy to disable all local user accounts instantly and allowing only "Domain Users" as local accounts.

We use Terminal Services and some have tried to log in locally to dip below our radar. This was our solution to this since all the computers had random local users and it would have taken forever to manually disable them.
0
 
LVL 5

Expert Comment

by:Nicholas Iler
ID: 20424030
This is where I originally discovered this feature:
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 

Author Comment

by:GroundHawg
ID: 20428200
Thanks for the help.  Good article, but you are correct restricted groups aren't necessary in my situation.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now