Solved

I don't want that user to be a member of administrator ! Solutions.

Posted on 2012-03-21
19
375 Views
Last Modified: 2012-06-04
I have three servers into my secta domain.

A-DEV Virtual Machine - Windows Server 2003 Std. Edition
A-Main - Virtual Machine - Windows Server 2003 Std. Edition
A-DC  (Domain Control) - Windows Server 2003 Std. Edition.

The following users "Ly" from the "A-DC" want have access to my others servers "A-MAIN" into my domain name "secta"

FYI, "Ly" is members of on my "A-DC" (Domain Control) servers.  Members of :

- domain users
- Remote deskotp
- SSLVPN Users
- VPN Users.

"Ly" try to log in remotely to "A-MAIN" but the following attached 'ly-secat' error appear .

Logon Message
! To log on to this remote computer, you must be granted the Allo log on throught Terminal Services right.  By default, members of the Remote Desktop Users group have this right.  If you are not a member of the Remote Desktops users group or another group that this right, or if the remote deskotp users group does not have this right, you must be granted this right manually.

So as a solutions in order to gave her a fast access to to "A-MAIN" Server I've add her to the Administrator Members and now he has access.   Plus he hass access to all folders on the server because he is the administrators group :( so I need a solutions please !!!

1. I don't want that user to be an administrator... What Should I do to give him access to 'A-main' without being a member of Administrators groups?

Please see images.
ly-secat.jpg
domainusers.jpg
0
Comment
Question by:LelloLello
  • 8
  • 7
  • 2
  • +2
19 Comments
 
LVL 5

Expert Comment

by:colonytire
Comment Utility
In your RDP manager you can add that individual user to the users list (System Properties in the control panel>Remote tab>Select Users button. Full AD user info= secta\Ly). If you add domain users to the RDP users list, all domain users can login with non-admin rights thus including the Ly user.
0
 

Author Comment

by:LelloLello
Comment Utility
what is the RDP Manager.?
0
 

Author Comment

by:LelloLello
Comment Utility
on which server i-main or the DC?
0
 
LVL 5

Expert Comment

by:colonytire
Comment Utility
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
 

Author Comment

by:LelloLello
Comment Utility
Well the ly user is there...
0
 

Author Comment

by:LelloLello
Comment Utility
if i remove ly from the administrators group is not able to login in.
0
 
LVL 5

Assisted Solution

by:colonytire
colonytire earned 200 total points
Comment Utility
Correct, but you do not want that user to have admin rights.  That user needs to be in the Users group on the A-Main server.  You should see that Domain Users is already listed in the A-Main\Users group.  If Domain users are in the Users group nothing more is needed. By default members of the local Administrators group and the Domain Admin groups have remote access.  By following the steps mentioned previously, you are adding that single user the remote access without being in the admin group.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 100 total points
Comment Utility
Are these server domain controllers as well?  If so, you would have to grant the "Allow to log on locally" right as well.

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx
0
 
LVL 5

Expert Comment

by:colonytire
Comment Utility
That link is for 2008 servers.  He wants the user to log into a 2003 server and won't need a full GP policy for that.
0
ScreenConnect 6.0 Free Trial

Check out the updates in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI that improves session organization and overall user experience. See the enhancements for yourself!

 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
He will if it's a DC
0
 

Author Comment

by:LelloLello
Comment Utility
it's a windows 2003 server.   even I tried no luck... in order to have access he should be a  member of administrators...

FYI, if i do i change on users group - remove him from group or add him on group on the A-DC, it will show on the A-main server into users... so it's same domain secta...
0
 
LVL 5

Accepted Solution

by:
colonytire earned 200 total points
Comment Utility
http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

This is the same as the shortcut steps I mentioned previously.  We use this daily for our terminal servers and thin clients.  Make sure you add the secta\Ly user and you are all set.
0
 
LVL 7

Assisted Solution

by:Jayanta Sarmah
Jayanta Sarmah earned 100 total points
Comment Utility
How about , add this user to a group or remote desktop user group , verify that the group has permission to access the computer remotely :

Run- > Secpol.msc- ->User right - ->

Verify the permission for this group is enabled/added in below:

Log on locally
Allow logon though RDS/Terminal service    ( RDS for 2k8 /TS for 2k3)

Also make sure the group is not added to
Deny logon locally
Deny Logon Through RDS/Terminal Service.
0
 

Author Comment

by:LelloLello
Comment Utility
Colontyre:

Where i should do on the DC or the other server main.

Add users to the Remote Desktop Users group

 13 out of 22 rated this helpful Rate this topic


Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2





To add users to the Remote Desktop Users group

1. Open Computer Management.


2. In the console tree, click the Local Users and Groups node.


3. In the details pane, double-click the Groups folder.


4. Double-click Remote Desktop Users, and then click Add....


5. On the Select Users dialog box, click Locations... to specify the search location.


6. Click Object Types... to specify the types of objects you want to search for.


7. Type the name you want to add in the Enter the object names to select (examples): box.


8. Click Check Names.


9. When the name is located, click OK.
0
 

Author Comment

by:LelloLello
Comment Utility
Sarmahy, when i type secpol in windows 2003 server - run

¿      Windows cannot find secpol. Make sure you typed the name correctly, and then try again.  To search for a file, click the start button, and the click search.
pls advice.
0
 
LVL 5

Expert Comment

by:colonytire
Comment Utility
Do this on your A-Main server.

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.

This is outlined in the link also:  http://technet.microsoft.com/en-us/library/cc758036(v=ws.10).aspx

When this is done it updates the Local policy for remote users.  Since the A-Main server is a member of the Domain handled by A-DC the Active Directory rules process down level as needed. Once the user is added they will be able to acess the server using Remote Desktop but NOT have Admin rights.
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 100 total points
Comment Utility
Could you check on each server who is on the local Remote Desktop Users group?
Users that are NOT administrators must be on that group to be able to logon using RDP.

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP
0
 
LVL 5

Expert Comment

by:colonytire
Comment Utility
This step adds the user to the local Remote Desktop Group:

Easiest way is Right Click on My Computer and select properties(also available thru control pannel and System), After the System Properties window opens click on the tab labeled Remote.  You will see a button for selecting users who can login remotely.  Add the Ly user from your list of domain users and you should be good to go.
0
 

Author Comment

by:LelloLello
Comment Utility
I will test it tomorrow
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Remote Desktop Connections allow you to control remote host machines via the magic of the Internet and RDP (Remote Desktop Protocol). For the purposes of this article we will assume you are connecting from your home PC or laptop to a remote offic…
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now