I don't want that user to be a member of administrator ! Solutions.

I have three servers into my secta domain.

A-DEV Virtual Machine - Windows Server 2003 Std. Edition
A-Main - Virtual Machine - Windows Server 2003 Std. Edition
A-DC  (Domain Control) - Windows Server 2003 Std. Edition.

The following users "Ly" from the "A-DC" want have access to my others servers "A-MAIN" into my domain name "secta"

FYI, "Ly" is members of on my "A-DC" (Domain Control) servers.  Members of :

- domain users
- Remote deskotp
- SSLVPN Users
- VPN Users.

"Ly" try to log in remotely to "A-MAIN" but the following attached 'ly-secat' error appear .

Logon Message
! To log on to this remote computer, you must be granted the Allo log on throught Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktops users group or another group that this right, or if the remote deskotp users group does not have this right, you must be granted this right manually.

So as a solutions in order to gave her a fast access to to "A-MAIN" Server I've add her to the Administrator Members and now he has access.   Plus he hass access to all folders on the server because he is the administrators group :( so I need a solutions please !!!

1. I don't want that user to be an administrator... What Should I do to give him access to 'A-main' without being a member of Administrators groups?

Please see images.
ly-secat.jpg
domainusers.jpg
LelloLelloAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

colonytireDirector of TechnologyCommented:
In your RDP manager you can add that individual user to the users list (System Properties in the control panel>Remote tab>Select Users button. Full AD user info= secta\Ly). If you add domain users to the RDP users list, all domain users can login with non-admin rights thus including the Ly user.
0
LelloLelloAuthor Commented:
what is the RDP Manager.?
0
LelloLelloAuthor Commented:
on which server i-main or the DC?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

colonytireDirector of TechnologyCommented:
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
LelloLelloAuthor Commented:
Well the ly user is there...
0
LelloLelloAuthor Commented:
if i remove ly from the administrators group is not able to login in.
0
colonytireDirector of TechnologyCommented:
Correct, but you do not want that user to have admin rights.  That user needs to be in the Users group on the A-Main server.  You should see that Domain Users is already listed in the A-Main\Users group.  If Domain users are in the Users group nothing more is needed. By default members of the local Administrators group and the Domain Admin groups have remote access.  By following the steps mentioned previously, you are adding that single user the remote access without being in the admin group.
0
Tony MassaCommented:
Are these server domain controllers as well?  If so, you would have to grant the "Allow to log on locally" right as well.

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx
0
colonytireDirector of TechnologyCommented:
That link is for 2008 servers.  He wants the user to log into a 2003 server and won't need a full GP policy for that.
0
Tony MassaCommented:
He will if it's a DC
0
LelloLelloAuthor Commented:
it's a windows 2003 server.   even I tried no luck... in order to have access he should be a  member of administrators...

FYI, if i do i change on users group - remove him from group or add him on group on the A-DC, it will show on the A-main server into users... so it's same domain secta...
0
colonytireDirector of TechnologyCommented:
http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

This is the same as the shortcut steps I mentioned previously.  We use this daily for our terminal servers and thin clients.  Make sure you add the secta\Ly user and you are all set.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jayanta SarmahCommented:
How about , add this user to a group or remote desktop user group , verify that the group has permission to access the computer remotely :

Run- > Secpol.msc- ->User right - ->

Verify the permission for this group is enabled/added in below:

Log on locally
Allow logon though RDS/Terminal service    ( RDS for 2k8 /TS for 2k3)

Also make sure the group is not added to
Deny logon locally
Deny Logon Through RDS/Terminal Service.
0
LelloLelloAuthor Commented:
Colontyre:

Where i should do on the DC or the other server main.

Add users to the Remote Desktop Users group

 13 out of 22 rated this helpful Rate this topic


Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2





To add users to the Remote Desktop Users group

1. Open Computer Management.


2. In the console tree, click the Local Users and Groups node.


3. In the details pane, double-click the Groups folder.


4. Double-click Remote Desktop Users, and then click Add....


5. On the Select Users dialog box, click Locations... to specify the search location.


6. Click Object Types... to specify the types of objects you want to search for.


7. Type the name you want to add in the Enter the object names to select (examples): box.


8. Click Check Names.


9. When the name is located, click OK.
0
LelloLelloAuthor Commented:
Sarmahy, when i type secpol in windows 2003 server - run

¿      Windows cannot find secpol. Make sure you typed the name correctly, and then try again.  To search for a file, click the start button, and the click search.
pls advice.
0
colonytireDirector of TechnologyCommented:
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.

This is outlined in the link also:  http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

When this is done it updates the Local policy for remote users.  Since the A-Main server is a member of the Domain handled by A-DC the Active Directory rules process down level as needed. Once the user is added they will be able to acess the server using Remote Desktop but NOT have Admin rights.
0
Cláudio RodriguesFounder and CEOCommented:
Could you check on each server who is on the local Remote Desktop Users group?
Users that are NOT administrators must be on that group to be able to logon using RDP.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
0
colonytireDirector of TechnologyCommented:
This step adds the user to the local Remote Desktop Group:

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
LelloLelloAuthor Commented:
I will test it tomorrow
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.