Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

RDP Users seem to have Admin Priveleges on TS Server 2003

Posted on 2011-04-26
10
Medium Priority
?
491 Views
Last Modified: 2012-05-11
I have been hired by a new employer.  Their old IT person did wierd things with permissions.  One in particular is that all users that RDP to the TS server 2003 seem to have Admin priveleges to the server.  In AD they are only members of the Domain User group.  The domain user group does not seem to be a member of any admin groups.  If I create a brand new user from scratch, it also seems to have domain admin priveleges.  How can I restrict these accounts?  Is there possibly a GPO in place?  The server is also a Metaframe server, but we are moving away from it.  Could that be giving the users elevated priveleges?
0
Comment
Question by:zotfarms
10 Comments
 
LVL 13

Expert Comment

by:jonahzona
ID: 35472468
I would look at the local policies. It sounds like a local issue. You may also want to check the permissions in you TS configuration.
0
 
LVL 23

Expert Comment

by:Radhakrishnan R
ID: 35472537
Also you can check the SYSVOL folder and check the permission of the GUID and particularly default domain policy, inside that .gpt file permission, If it incorrect then whenever you create a user they will get admin rights automatically, I have faced this issue some years back.
Default permissions will be  
Domain\Administrators: Full Control
System: Full Control
Domain\Users: Read & Edit, Read

If i remember correctly this is the 31B2F340-016D-11D2-945F-00C04FB984F9 GUID for Default domain policy.
0
 

Author Comment

by:zotfarms
ID: 35472606
This server is going away in about a week with server 2008 RDP Server.  Is it possible that this behavior is due to Citrix Metaframe server 4 on the server 2003?  Citrix will not be on the new server.  Could this problem be tied to the Metaframe?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:zotfarms
ID: 35472630
If I remove the user from the "domain users" group and made it a member of "users", it will no longer allow that user to connect with RDP.  I added that user in the user rights in the OU GPO that the user lives in, but it still won't allow me to connect.  I wonder if  I can make that group connect if it will solve my problem.
0
 

Author Comment

by:zotfarms
ID: 35472634
Under the "users" group, I get the error that the user cannot connect to the server remotely, and must be granted permissions to connect.  I have added the group to both the GPO and the local security policy of the TS server 2003.  But it still will not connect unless I add back the "domain Users" group.
0
 

Author Comment

by:zotfarms
ID: 35472641
I found folder 31B2F340-016D-11D2-945F-00C04FB984F9 in the sysvol folder.  The permissions on the folder seem fine, but I cannot find the .gpt file.  Where does it live?
0
 
LVL 15

Accepted Solution

by:
JBond2010 earned 1000 total points
ID: 35472650
You need to check on the TS Server are the users members of the local admin group. On the TS Server they should only be members of the Remote Desktop Users Group. It sounds like he made the Domain Users Group members of the Local Admin Group on the TS Server. On the TS Server > Right Click on My Computer and select Manage > Expand Local Users and Groups > check to see if Domain Users are members of the Administrators Group.
0
 
LVL 13

Assisted Solution

by:jonahzona
jonahzona earned 1000 total points
ID: 35472657
If you are having issues after removing from the domain users group, and you don't want the users group to be able to access the TS via RDP, make a new OU in AD that you will grant access to RDP on the TS.

Log in to the TS go to Terminal Services Configuration. Right click on RDP-Tcp, click properties and then the security tab.

Add the OU of the people you want to access the TS. The user should now have TS access.
0
 

Author Comment

by:zotfarms
ID: 35472667
I am beginning to think it is Citrix.  If I try to connect the user directly to the DC, it requires the remote desktop permission.  When I give that, it allows me to connect, but as a restricted user.  I cannot shut down that server.  So maybe Citrix gives the users on the TS admin rights on the box, not the domain.  However, I still don't want them to have admin rights on the box either.
0
 

Author Closing Comment

by:zotfarms
ID: 35472713
Both of the selected answers was the fix.  The domain users group had been made part of the local admin on the box.  Once the group was removed from the local admin, I went to the TS Services Configuration and added the domain users group permissions and it allows those users now to connect without admin priveleges.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question