Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

I don't want that user to be a member of administrator ! Solutions.

I have three servers into my secta domain.

A-DEV Virtual Machine - Windows Server 2003 Std. Edition
A-Main - Virtual Machine - Windows Server 2003 Std. Edition
A-DC  (Domain Control) - Windows Server 2003 Std. Edition.

The following users "Ly" from the "A-DC" want have access to my others servers "A-MAIN" into my domain name "secta"

FYI, "Ly" is members of on my "A-DC" (Domain Control) servers.  Members of :

- domain users
- Remote deskotp
- SSLVPN Users
- VPN Users.

"Ly" try to log in remotely to "A-MAIN" but the following attached 'ly-secat' error appear .

Logon Message
! To log on to this remote computer, you must be granted the Allo log on throught Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktops users group or another group that this right, or if the remote deskotp users group does not have this right, you must be granted this right manually.

So as a solutions in order to gave her a fast access to to "A-MAIN" Server I've add her to the Administrator Members and now he has access.   Plus he hass access to all folders on the server because he is the administrators group :( so I need a solutions please !!!

1. I don't want that user to be an administrator... What Should I do to give him access to 'A-main' without being a member of Administrators groups?

Please see images.
ly-secat.jpg
domainusers.jpg
0
LelloLello
Asked:
LelloLello
  • 8
  • 7
  • 2
  • +2
5 Solutions
 
colonytireDirector of TechnologyCommented:
In your RDP manager you can add that individual user to the users list (System Properties in the control panel>Remote tab>Select Users button. Full AD user info= secta\Ly). If you add domain users to the RDP users list, all domain users can login with non-admin rights thus including the Ly user.
0
 
LelloLelloAuthor Commented:
what is the RDP Manager.?
0
 
LelloLelloAuthor Commented:
on which server i-main or the DC?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
colonytireDirector of TechnologyCommented:
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
 
LelloLelloAuthor Commented:
Well the ly user is there...
0
 
LelloLelloAuthor Commented:
if i remove ly from the administrators group is not able to login in.
0
 
colonytireDirector of TechnologyCommented:
Correct, but you do not want that user to have admin rights.  That user needs to be in the Users group on the A-Main server.  You should see that Domain Users is already listed in the A-Main\Users group.  If Domain users are in the Users group nothing more is needed. By default members of the local Administrators group and the Domain Admin groups have remote access.  By following the steps mentioned previously, you are adding that single user the remote access without being in the admin group.
0
 
Tony MassaCommented:
Are these server domain controllers as well?  If so, you would have to grant the "Allow to log on locally" right as well.

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx
0
 
colonytireDirector of TechnologyCommented:
That link is for 2008 servers.  He wants the user to log into a 2003 server and won't need a full GP policy for that.
0
 
Tony MassaCommented:
He will if it's a DC
0
 
LelloLelloAuthor Commented:
it's a windows 2003 server.   even I tried no luck... in order to have access he should be a  member of administrators...

FYI, if i do i change on users group - remove him from group or add him on group on the A-DC, it will show on the A-main server into users... so it's same domain secta...
0
 
colonytireDirector of TechnologyCommented:
http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

This is the same as the shortcut steps I mentioned previously.  We use this daily for our terminal servers and thin clients.  Make sure you add the secta\Ly user and you are all set.
0
 
Jayanta SarmahCommented:
How about , add this user to a group or remote desktop user group , verify that the group has permission to access the computer remotely :

Run- > Secpol.msc- ->User right - ->

Verify the permission for this group is enabled/added in below:

Log on locally
Allow logon though RDS/Terminal service    ( RDS for 2k8 /TS for 2k3)

Also make sure the group is not added to
Deny logon locally
Deny Logon Through RDS/Terminal Service.
0
 
LelloLelloAuthor Commented:
Colontyre:

Where i should do on the DC or the other server main.

Add users to the Remote Desktop Users group

 13 out of 22 rated this helpful Rate this topic


Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2





To add users to the Remote Desktop Users group

1. Open Computer Management.


2. In the console tree, click the Local Users and Groups node.


3. In the details pane, double-click the Groups folder.


4. Double-click Remote Desktop Users, and then click Add....


5. On the Select Users dialog box, click Locations... to specify the search location.


6. Click Object Types... to specify the types of objects you want to search for.


7. Type the name you want to add in the Enter the object names to select (examples): box.


8. Click Check Names.


9. When the name is located, click OK.
0
 
LelloLelloAuthor Commented:
Sarmahy, when i type secpol in windows 2003 server - run

¿      Windows cannot find secpol. Make sure you typed the name correctly, and then try again.  To search for a file, click the start button, and the click search.
pls advice.
0
 
colonytireDirector of TechnologyCommented:
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.

This is outlined in the link also:  http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

When this is done it updates the Local policy for remote users.  Since the A-Main server is a member of the Domain handled by A-DC the Active Directory rules process down level as needed. Once the user is added they will be able to acess the server using Remote Desktop but NOT have Admin rights.
0
 
Cláudio RodriguesFounder and CEOCommented:
Could you check on each server who is on the local Remote Desktop Users group?
Users that are NOT administrators must be on that group to be able to logon using RDP.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
0
 
colonytireDirector of TechnologyCommented:
This step adds the user to the local Remote Desktop Group:

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
 
LelloLelloAuthor Commented:
I will test it tomorrow
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 8
  • 7
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now