How do I grant TS access without giving users admin privileges?

Posted on 2009-02-24
Last Modified: 2012-05-06
We have three new servers: a domain controller, a terminal server, and a
file/app server that is a secondary domain controller.

We are still running using the old servers and I'm in the process of trying
to get everything setup on the new servers before we switch everyone over.
I'm almost at the point where I want to just have management bring in
someone to do this at be done with it.  But I'm trying to do it on my own
for 1) my own personal satisfaction to know that I can do it, and 2)
management would be much more impressed and happy if we don't have to pay
for someone else to do it.

I have setup the domain and added all of the user accounts.  I've created a
group policy that routes the users My Documents folder to a network share
(and creates it if it doesn't exist).  I've made the file/app server the
secondary domain controller and joined the terminal server to the domain.  I
have went through the steps to install terminal services and the licenses on
the terminal server.  I have installed the anti-virus on the file/app server
and used it to push it out to both the other servers and my PC (which I have
joined to the domain).

We have a new employee starting Thursday and I've been trying to set him up
on the domain to start with so I won't have to move him over.  He is my
first test case that doesn't have admin priviledges.  I created his account
on the domain controller and added him to the "Remote Desktop Users" group.
But when I try to logon as him to the terminal server it says he doesnt have
access to log on remotely.  I then created a group called "Remote Users" and
added all users to that group.  Then I added that group to the "Remote
Desktop Users" group on the Terminal Server (under Local Accounts).  This
worked but when I log on as this user, he has admin privileges (including
the option to "shut down the server").

What am I doing wrong?  How can I give users access to the Terminal Server
Question by:netadminjill
    LVL 6

    Expert Comment

    You should be able to remove the shut down option from their start menu using group policy.  This can be found in the User Configuration > Administrative Templates > Start Menu and Task bar > Remove and Prevent Access to the Shut Down command.

    Expert Comment

    I use the built-in Terminal Server Users group without a problem.
    LVL 1

    Author Comment

    Where do I find the built-in Terminal Server Users group?  
    On the domain controller or on the Terminal Server?
    LVL 1

    Author Comment

    Okay, I think I figured out how to do this... I added the user to the remote desktop users of the terminal server.. .and though he has the shut-down option... if he chooses that the only two options that come are log off and disconnect.

    Is there a way to hide the contents of the C: drive so he can't add stuff to it or remove stuff?

    I need to reroute all users internet favorites to their my documents folder on the network share instead of to the C:\documents&settings\username folder of the TS.

    Expert Comment

    If he doesn't have admin rights, he shouldn't be able to add or remove stuff from the C:\ drive. You could put a test file in there and then log in as him to test it if you're unsure.
    LVL 6

    Accepted Solution

    There is another group policy that allows you to hide drives.  User Configuration > Administrative Templates > Windows Components > Windows Explorer > Hide these specified drives in My Computer.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
    Learn about cloud computing and its benefits for small business owners.
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now