• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Terminal Server is AD - need to remove

I have a new client,
they have a terminal server that is configured as an AD server (backup to the main SBS server).
Because of this there is no local users/groups to add users to a remote users group.
the previous provider solved this problem by making all users domain administrators.

I want to remove all users from domain admins - and start to assign some normal security.
I want to remove the terminal server from being an AD server, so it remains a domain member but doesnt have AD.
I dont want to lose any of the profiles etc already on the Terminal server.

or..given that it is handy to have a backup domain controller (in theory) is there a way around this?
It is only a small 10 user network.
At other sites I simply have the terminal server as a member server.

thanks in advance
0
wolfcamel
Asked:
wolfcamel
  • 2
2 Solutions
 
oBdACommented:
It's usually not recommended to run terminal services in application mode on a DC, though it happens quite often in small networks.
Demoting the machine won't cause issues with the profiles; the users don't change, after all, they're still the same domain users as before, only that they're logging on to a member server now.
If you want to keep it running as a DC, you definitely don't need to make the users Domain Admins, that's just madness. Create a domain local group "RDPUsersOnDC" or whatever name you want. Start the Terminal Services Configuration MMC on the TS, open the properties of the RDP protocol, go to the Permissions tab, and add this group with "User Access" and "Guest Access".
Then start secpol.msc on the TS (one of the rare occasions where you don't want to use the Domain Controllers policy), and add this group to the "Allow logon locally" user right in Local Policies\User Rights Assignment.
0
 
lamaslanyCommented:
I want to remove all users from domain admins - and start to assign some normal security.
On the server run:  dsa.msc
Expand the directory tree to <domain>\Users
Open the properties of Domain Admins
Click on the Members tab
Select the necessary users and click Remove

I want to remove the terminal server from being an AD server, so it remains a domain member but doesnt have AD.
On the backup DC/terminal server run: dcpromo
Follow the wizard

I dont want to lose any of the profiles etc already on the Terminal server.

Demoting a domain controller will not delete the profiles.


or..given that it is handy to have a backup domain controller (in theory) is there a way around this?
On the terminal server run:  tscc.msc
Right-click on the connection RDP-Tcp and click Properties
Click on the Permissions tab
Add the users to the list (they will need User Access)
You may also need to modify the local computer policy:
Local Computer Policy > Computer Configuratoin > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Allow log on through Terminal Services
Note:  My suggestion would be to make a domain group containing the list of users that need to access to the terminal server and add that group to the list of users for the Connection and Local Computer Policy settings.  This means that if a new user starts all you need to do it add them to the group.
PS:  I would advise against using a DC as a terminal server.
0
 
lamaslanyCommented:
Looks like oBdA beat me to the punch!  :)
0
 
wolfcamelAuthor Commented:
thanks guys - points split - first answer addressed the concepts, second answer the specifics - 2nd answer probably would have been lodged first if hadnt given me so much detail! So on this theory deserves more points. Cheers.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now