How do I grant TS access without giving users admin privileges?

Posted on 2009-02-24
Medium Priority
Last Modified: 2012-05-06
We have three new servers: a domain controller, a terminal server, and a
file/app server that is a secondary domain controller.

We are still running using the old servers and I'm in the process of trying
to get everything setup on the new servers before we switch everyone over.
I'm almost at the point where I want to just have management bring in
someone to do this at be done with it.  But I'm trying to do it on my own
for 1) my own personal satisfaction to know that I can do it, and 2)
management would be much more impressed and happy if we don't have to pay
for someone else to do it.

I have setup the domain and added all of the user accounts.  I've created a
group policy that routes the users My Documents folder to a network share
(and creates it if it doesn't exist).  I've made the file/app server the
secondary domain controller and joined the terminal server to the domain.  I
have went through the steps to install terminal services and the licenses on
the terminal server.  I have installed the anti-virus on the file/app server
and used it to push it out to both the other servers and my PC (which I have
joined to the domain).

We have a new employee starting Thursday and I've been trying to set him up
on the domain to start with so I won't have to move him over.  He is my
first test case that doesn't have admin priviledges.  I created his account
on the domain controller and added him to the "Remote Desktop Users" group.
But when I try to logon as him to the terminal server it says he doesnt have
access to log on remotely.  I then created a group called "Remote Users" and
added all users to that group.  Then I added that group to the "Remote
Desktop Users" group on the Terminal Server (under Local Accounts).  This
worked but when I log on as this user, he has admin privileges (including
the option to "shut down the server").

What am I doing wrong?  How can I give users access to the Terminal Server
Question by:netadminjill
  • 2
  • 2
  • 2

Expert Comment

ID: 23725795
You should be able to remove the shut down option from their start menu using group policy.  This can be found in the User Configuration > Administrative Templates > Start Menu and Task bar > Remove and Prevent Access to the Shut Down command.

Expert Comment

ID: 23725796
I use the built-in Terminal Server Users group without a problem.

Author Comment

ID: 23725853
Where do I find the built-in Terminal Server Users group?  
On the domain controller or on the Terminal Server?
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.


Author Comment

ID: 23725991
Okay, I think I figured out how to do this... I added the user to the remote desktop users of the terminal server.. .and though he has the shut-down option... if he chooses that the only two options that come are log off and disconnect.

Is there a way to hide the contents of the C: drive so he can't add stuff to it or remove stuff?

I need to reroute all users internet favorites to their my documents folder on the network share instead of to the C:\documents&settings\username folder of the TS.

Expert Comment

ID: 23726218
If he doesn't have admin rights, he shouldn't be able to add or remove stuff from the C:\ drive. You could put a test file in there and then log in as him to test it if you're unsure.

Accepted Solution

ngailfus earned 2000 total points
ID: 23726271
There is another group policy that allows you to hide drives.  User Configuration > Administrative Templates > Windows Components > Windows Explorer > Hide these specified drives in My Computer.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question