We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

RDP Users seem to have Admin Priveleges on TS Server 2003

Medium Priority
510 Views
Last Modified: 2012-05-11
I have been hired by a new employer.  Their old IT person did wierd things with permissions.  One in particular is that all users that RDP to the TS server 2003 seem to have Admin priveleges to the server.  In AD they are only members of the Domain User group.  The domain user group does not seem to be a member of any admin groups.  If I create a brand new user from scratch, it also seems to have domain admin priveleges.  How can I restrict these accounts?  Is there possibly a GPO in place?  The server is also a Metaframe server, but we are moving away from it.  Could that be giving the users elevated priveleges?
Comment
Watch Question

Top Expert 2011

Commented:
I would look at the local policies. It sounds like a local issue. You may also want to check the permissions in you TS configuration.
systechSenior Technical Lead
CERTIFIED EXPERT

Commented:
Also you can check the SYSVOL folder and check the permission of the GUID and particularly default domain policy, inside that .gpt file permission, If it incorrect then whenever you create a user they will get admin rights automatically, I have faced this issue some years back.
Default permissions will be  
Domain\Administrators: Full Control
System: Full Control
Domain\Users: Read & Edit, Read

If i remember correctly this is the 31B2F340-016D-11D2-945F-00C04FB984F9 GUID for Default domain policy.

Author

Commented:
This server is going away in about a week with server 2008 RDP Server.  Is it possible that this behavior is due to Citrix Metaframe server 4 on the server 2003?  Citrix will not be on the new server.  Could this problem be tied to the Metaframe?

Author

Commented:
If I remove the user from the "domain users" group and made it a member of "users", it will no longer allow that user to connect with RDP.  I added that user in the user rights in the OU GPO that the user lives in, but it still won't allow me to connect.  I wonder if  I can make that group connect if it will solve my problem.

Author

Commented:
Under the "users" group, I get the error that the user cannot connect to the server remotely, and must be granted permissions to connect.  I have added the group to both the GPO and the local security policy of the TS server 2003.  But it still will not connect unless I add back the "domain Users" group.

Author

Commented:
I found folder 31B2F340-016D-11D2-945F-00C04FB984F9 in the sysvol folder.  The permissions on the folder seem fine, but I cannot find the .gpt file.  Where does it live?
Senior Cloud Infrastructure Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Top Expert 2011
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
I am beginning to think it is Citrix.  If I try to connect the user directly to the DC, it requires the remote desktop permission.  When I give that, it allows me to connect, but as a restricted user.  I cannot shut down that server.  So maybe Citrix gives the users on the TS admin rights on the box, not the domain.  However, I still don't want them to have admin rights on the box either.

Author

Commented:
Both of the selected answers was the fix.  The domain users group had been made part of the local admin on the box.  Once the group was removed from the local admin, I went to the TS Services Configuration and added the domain users group permissions and it allows those users now to connect without admin priveleges.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.