Avatar of orbhot
orbhot
Flag for United States of America asked on

Can I allow non-administrators to log into console session?

I need to allow a user to log into a Windows 2003 server via Remote Desktop. I want them to be able to use the mstsc /console switch so that the can use the console session. However, the only way I know of doing this is to add this users to the local administrators group, which I don't want to do. Is there a way to let the user log into the console without adding them to admins?
Microsoft Server OSWindows Server 2003

Avatar of undefined
Last Comment
davidfencik

8/22/2022 - Mon
davidfencik

Phoenixke

Considering the console is logged on by default by the DOMAIN\Administrator I don't think so.
You can use VNC to allow the user to overtake the console but not using mstsc.
ggefter

in the active directory, there is an option in each users account, i think its on the dial in tab or the Terminal server tab, that will allow a user to log on remotely via a terminal server session. Uncheck the box that says "Deny the user permission to log onto a TS session" and on the dial -in tab that allows a person to dial in.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Phoenixke

I stand corrected ^^.
I'll have to give that a try!
Psy053

You can set it on a Server - by Server basis by adding the user to the "Remote Desktop Users" group (which can be found by running compmgmt.msc

orbhot

ASKER
Psy053, you are not correct... adding them to RD users just allows them to log in, it does not allow them to log into the consoles session (session 0) unless they are in the Administrators group.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
orbhot

ASKER
davidfencik, I looked through that page and that does not work... I have Users and Administrators already set under "Allow log on locally" in Local Policies/User Rights Assignment and, unless someone is in the local Administrators group, they get an error when trying to log onto a console session voe mstsc /console.
davidfencik

Look in the computer configuration local security policy. There is another group policy object to allow cocsole access.
rshooper76

What do you want them to be able to do once they log onto the console?  Most fuctions that woudl require this would require admin access anyway.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
orbhot

ASKER
rshooper76, I need them to have persistent sessions. In other words, if they X out/disconnect (not log off), when they reconnect they end up with a new session. If someone logs in with /console they can disconnect, then reconnect later on and return to that same session.

David, Which node is it under, I don't see it?
rshooper76

Set your RDP policy to only allow them to have one sesssion, that will solve your problem.  Having a general user log onto the console is generally a bad idea.

 
ASKER CERTIFIED SOLUTION
orbhot

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
rshooper76

I guess I wdon't completely understand what you are trying to do.  Only one user at a tiem can use the console session.  If your users simply need to only be allowed to have one session each then configure your RDP connection or Group Policy to restrict this.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
davidfencik

I think what you need to do is to go to terminal services configuration and set the session limits.  You can disable the maximum time for a disconnected session there.  That way you can reconnect a day or two later and your session will be preserved.  It is not necessary or beneficial to connect to the console session.

You can also change these settings on a per-user basis.

Restricting each user to a single session meshes well with this configuration.