Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

I don't want that user to be a member of administrator ! Solutions.

Posted on 2012-03-21
19
Medium Priority
?
387 Views
Last Modified: 2012-06-04
I have three servers into my secta domain.

A-DEV Virtual Machine - Windows Server 2003 Std. Edition
A-Main - Virtual Machine - Windows Server 2003 Std. Edition
A-DC  (Domain Control) - Windows Server 2003 Std. Edition.

The following users "Ly" from the "A-DC" want have access to my others servers "A-MAIN" into my domain name "secta"

FYI, "Ly" is members of on my "A-DC" (Domain Control) servers.  Members of :

- domain users
- Remote deskotp
- SSLVPN Users
- VPN Users.

"Ly" try to log in remotely to "A-MAIN" but the following attached 'ly-secat' error appear .

Logon Message
! To log on to this remote computer, you must be granted the Allo log on throught Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktops users group or another group that this right, or if the remote deskotp users group does not have this right, you must be granted this right manually.

So as a solutions in order to gave her a fast access to to "A-MAIN" Server I've add her to the Administrator Members and now he has access.   Plus he hass access to all folders on the server because he is the administrators group :( so I need a solutions please !!!

1. I don't want that user to be an administrator... What Should I do to give him access to 'A-main' without being a member of Administrators groups?

Please see images.
ly-secat.jpg
domainusers.jpg
0
Comment
Question by:LelloLello
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +2
19 Comments
 
LVL 5

Expert Comment

by:colonytire
ID: 37749103
In your RDP manager you can add that individual user to the users list (System Properties in the control panel>Remote tab>Select Users button. Full AD user info= secta\Ly). If you add domain users to the RDP users list, all domain users can login with non-admin rights thus including the Ly user.
0
 

Author Comment

by:LelloLello
ID: 37749172
what is the RDP Manager.?
0
 

Author Comment

by:LelloLello
ID: 37749177
on which server i-main or the DC?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:colonytire
ID: 37749235
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
 

Author Comment

by:LelloLello
ID: 37749258
Well the ly user is there...
0
 

Author Comment

by:LelloLello
ID: 37749264
if i remove ly from the administrators group is not able to login in.
0
 
LVL 5

Assisted Solution

by:colonytire
colonytire earned 800 total points
ID: 37749349
Correct, but you do not want that user to have admin rights.  That user needs to be in the Users group on the A-Main server.  You should see that Domain Users is already listed in the A-Main\Users group.  If Domain users are in the Users group nothing more is needed. By default members of the local Administrators group and the Domain Admin groups have remote access.  By following the steps mentioned previously, you are adding that single user the remote access without being in the admin group.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 400 total points
ID: 37749353
Are these server domain controllers as well?  If so, you would have to grant the "Allow to log on locally" right as well.

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx
0
 
LVL 5

Expert Comment

by:colonytire
ID: 37749363
That link is for 2008 servers.  He wants the user to log into a 2003 server and won't need a full GP policy for that.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 37749409
He will if it's a DC
0
 

Author Comment

by:LelloLello
ID: 37749433
it's a windows 2003 server.   even I tried no luck... in order to have access he should be a  member of administrators...

FYI, if i do i change on users group - remove him from group or add him on group on the A-DC, it will show on the A-main server into users... so it's same domain secta...
0
 
LVL 5

Accepted Solution

by:
colonytire earned 800 total points
ID: 37749571
http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

This is the same as the shortcut steps I mentioned previously.  We use this daily for our terminal servers and thin clients.  Make sure you add the secta\Ly user and you are all set.
0
 
LVL 7

Assisted Solution

by:Jayanta Sarmah
Jayanta Sarmah earned 400 total points
ID: 37751825
How about , add this user to a group or remote desktop user group , verify that the group has permission to access the computer remotely :

Run- > Secpol.msc- ->User right - ->

Verify the permission for this group is enabled/added in below:

Log on locally
Allow logon though RDS/Terminal service    ( RDS for 2k8 /TS for 2k3)

Also make sure the group is not added to
Deny logon locally
Deny Logon Through RDS/Terminal Service.
0
 

Author Comment

by:LelloLello
ID: 37758388
Colontyre:

Where i should do on the DC or the other server main.

Add users to the Remote Desktop Users group

 13 out of 22 rated this helpful Rate this topic


Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2





To add users to the Remote Desktop Users group

1. Open Computer Management.


2. In the console tree, click the Local Users and Groups node.


3. In the details pane, double-click the Groups folder.


4. Double-click Remote Desktop Users, and then click Add....


5. On the Select Users dialog box, click Locations... to specify the search location.


6. Click Object Types... to specify the types of objects you want to search for.


7. Type the name you want to add in the Enter the object names to select (examples): box.


8. Click Check Names.


9. When the name is located, click OK.
0
 

Author Comment

by:LelloLello
ID: 37758400
Sarmahy, when i type secpol in windows 2003 server - run

¿      Windows cannot find secpol. Make sure you typed the name correctly, and then try again.  To search for a file, click the start button, and the click search.
pls advice.
0
 
LVL 5

Expert Comment

by:colonytire
ID: 37758524
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.

This is outlined in the link also:  http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

When this is done it updates the Local policy for remote users.  Since the A-Main server is a member of the Domain handled by A-DC the Active Directory rules process down level as needed. Once the user is added they will be able to acess the server using Remote Desktop but NOT have Admin rights.
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 400 total points
ID: 37766718
Could you check on each server who is on the local Remote Desktop Users group?
Users that are NOT administrators must be on that group to be able to logon using RDP.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
0
 
LVL 5

Expert Comment

by:colonytire
ID: 37766817
This step adds the user to the local Remote Desktop Group:

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
 

Author Comment

by:LelloLello
ID: 37829597
I will test it tomorrow
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question