Solved

Different access permissions for two terminal servers

Posted on 2010-11-11
11
285 Views
Last Modified: 2012-08-14
Hi,

I have a network with three servers, as follows:

1x Windows SBS 2003, primary domain controller
2x Windows 2008 Servers, domian controllers and terminal services servers

The SBS 2003 box should only accept terminal services sessions from administrators, whilst each of the two 2008 boxes shoud accept TS connections from a different group of users. (That is a different group of users for each 2008 box.)

Initially I went into computer/properties on each 2008 box and tried to set the users who could log into terminal services from there, but I noticed that changing this on one, changed it on both.

I then tried setting the remote access permissions to administrators only and created a group policy object for each 2008 box, and in each object setting the "allow logon through terminal services" to the appropriate group. I linked both of these policy objects to the domain controllers OU and then filtered each one to the appropriate computer. This did not appear to allow anyone but administrators in.

How do I acheive what I need?
0
Comment
Question by:rpm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 1

Expert Comment

by:RoelvanDijnen
ID: 34110036
Did you set:
Computer Configuration > Windows Settings > Security Settings > Restricted Groups > Builtin\Remote Desktop Users?

And apply the GPO object in scope > security filtering to a AD security group for the Server (SG-TS01-SERVER) AND to a security group for the Users (SG-TS01USERS)
0
 
LVL 9

Expert Comment

by:MinoDC
ID: 34110097
Try this.

Logon on first 2008 server.
In server manager click on :
Configuration->Local Users and Groups->Groups
On Remote Desktop User and click Properties. Add user or group that you want.

Now please login on the second 2008 server and do the same operations.
0
 
LVL 1

Author Comment

by:rpm
ID: 34110117
MinoDC: There isn't a Local Users & Groups ... presumably because the server is a DC
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:rpm
ID: 34110147
RoelvanDijnen: A couple of questions for you ...
1) The Restricted Groups container is currently empty in my policy object ... do I add remote desktop users into this empty container?
2) I am not completly sure about your instructions for linking this policy object. Do I still link it to the Domain Controllers OU, and what filtering should I be using, is that the computer object and the user group object with access to this server?
Thanks,
Richard
0
 
LVL 23

Accepted Solution

by:
ormerodrutter earned 250 total points
ID: 34110184
One thing I am not 100% is that will a DC accepts TS connections from non admin?

Configure a DC to accept TS connections from ordinary users is not recommended, you never know what damage your users will cause.

I would suggest demote one of the box to a member server - that should bring back the Local User/Group in Computer Management.
0
 
LVL 1

Expert Comment

by:RoelvanDijnen
ID: 34110243
I use the 2008 GPO editor, so it may be a litle different.
But yes, I right click in de empty space, click "add" and browse for the Remote Desktop Users.
Then I select the mebers of the group in the same way..

Second:
Create three security groups for the servers (DC01SERVER, TS01SERVER, TS02SERVER) AND three groups for the users (DC01USER, TS01USER, TS02USER).  
Then create three GPO objects and link them al to the DC OU, but with different Security groups filtering.
Make sure there is no inherrited GPO interfering of course :)
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 250 total points
ID: 34110642
You are trying to apply two GPO to DC OU & permission with restricted access will win.

Any user who is not member of administrator,domain admin,enterprise admin will not be able to login remotely, since both the server are dc, what ever policy you will apply will be applied both the dc.

You can set deny option in user right assignment in GPO for particular group not to access but its recommended you only allow admin to access dc, else there can be break of security as well as stability of domain due to file deletion.

 
0
 
LVL 1

Author Comment

by:rpm
ID: 34110969
Following the general cconsensus, I have demoted one of the servers to a member server.

Now I cannot log on remotely at all! The staff at the data centre have logged on locally and confirmed that the administrator is in the remote access permissions group, but when I log on as the administrator remotely, it says the user doesn't have permissions. Any ideas?

My colleague is heading over to the data centre now

Richard
0
 
LVL 24

Expert Comment

by:Awinish
ID: 34111006
On server where you are having the issue, do following.
See to it RDP is enabled on the server with issue,just confirm again.

Take a registry backup on the desktop &  Delete the following keys  

Start Registry Editor.
Locate and then click the  following registry  subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TermService\Parameters
Under  this registry subkey, delete the following values:
Certificate
X509  Certificate
X509 Certificate ID

Quit Registry Editor, and then restart the  server  
Try taking RDP & if still it doesn't connect do the below.

Click Start, click Run, type regedit, and then  click OK   Locate and click the following subkey on the  left:  

HKLM\SYSTEM\CurrentControlSet\Control\Terminal  Server\WinStations\RDP-Tcp    

On the right,  locate and right-click on the  value named Security,
choose Rename, type Security.backup, and  then press Enter.  

Reboot the server as i had issue once did same got it working.
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 34111457
Also check if Remote Access has been enabled on the server. Then check if access was blocked by firewall (Windows firewall or vendor's). For your reference RDP use port 3389 so if you can't find anything relevent open this port on the server firewall.
0
 
LVL 1

Author Comment

by:rpm
ID: 34111537
Turned out to be an IPv6 DNS error!
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question