RDP Users seem to have Admin Priveleges on TS Server 2003
I have been hired by a new employer. Their old IT person did wierd things with permissions. One in particular is that all users that RDP to the TS server 2003 seem to have Admin priveleges to the server. In AD they are only members of the Domain User group. The domain user group does not seem to be a member of any admin groups. If I create a brand new user from scratch, it also seems to have domain admin priveleges. How can I restrict these accounts? Is there possibly a GPO in place? The server is also a Metaframe server, but we are moving away from it. Could that be giving the users elevated priveleges?
jonahzona
I would look at the local policies. It sounds like a local issue. You may also want to check the permissions in you TS configuration.
Also you can check the SYSVOL folder and check the permission of the GUID and particularly default domain policy, inside that .gpt file permission, If it incorrect then whenever you create a user they will get admin rights automatically, I have faced this issue some years back.
Default permissions will be
Domain\Administrators: Full Control
System: Full Control
Domain\Users: Read & Edit, Read
If i remember correctly this is the 31B2F340-016D-11D2-945F-00
Default permissions will be
Domain\Administrators: Full Control
System: Full Control
Domain\Users: Read & Edit, Read
If i remember correctly this is the 31B2F340-016D-11D2-945F-00
ASKER
This server is going away in about a week with server 2008 RDP Server. Is it possible that this behavior is due to Citrix Metaframe server 4 on the server 2003? Citrix will not be on the new server. Could this problem be tied to the Metaframe?
ASKER
If I remove the user from the "domain users" group and made it a member of "users", it will no longer allow that user to connect with RDP. I added that user in the user rights in the OU GPO that the user lives in, but it still won't allow me to connect. I wonder if I can make that group connect if it will solve my problem.
ASKER
Under the "users" group, I get the error that the user cannot connect to the server remotely, and must be granted permissions to connect. I have added the group to both the GPO and the local security policy of the TS server 2003. But it still will not connect unless I add back the "domain Users" group.
ASKER
I found folder 31B2F340-016D-11D2-945F-00
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am beginning to think it is Citrix. If I try to connect the user directly to the DC, it requires the remote desktop permission. When I give that, it allows me to connect, but as a restricted user. I cannot shut down that server. So maybe Citrix gives the users on the TS admin rights on the box, not the domain. However, I still don't want them to have admin rights on the box either.
ASKER
Both of the selected answers was the fix. The domain users group had been made part of the local admin on the box. Once the group was removed from the local admin, I went to the TS Services Configuration and added the domain users group permissions and it allows those users now to connect without admin priveleges.