Terminal server local user access problem

Posted on 2012-09-06
Medium Priority
Last Modified: 2012-09-24
Windows SBS 2003 server, Windows 2008 Terminal Server. TS is NOT a domain controller, for security reasons, but is part of the domain.
Several remote locations log in to TS to run local database apps.
New requirement is to allow "guest" users onto the TS to run these database apps, also in "guest" mode.
Original idea was to create a local, not domain, user on the TS box. That way there's less access to other apps and files on the network. But I get the "allow log on through Terminal Server right" error.
Since this isn't a domain controller or domain user account, I can't figure out where to change the policy without removing all the security. (Not every domain user has TS privileges).
Question by:geekzinc
  • 2
LVL 78

Expert Comment

by:Rob Williams
ID: 38374411
There could be issues with this and domain group policy overriding in some cases.  In some ways this is less secure than making them a domain user as you do not have full control of them with group policy.  It sounds more like you are trying to avoid an SBS CAL than addressing security.  It would be better to create a domain group with restricted rights. The user still needs a Server CAL if they do not have an SBS CAL, and they need a TS CAL regardless, and I'm not sure how that will work if the SBS is the TS licensing server.

However; the user would have to be a member of the "remote Desktop User's Group" on the TS itself which basically includes them in the following local policy:  On the TS: Control Panel | Administrative tools | Local Security Policy | Local Policies | User Rights Assignments ...make sure Remote Desktop Users is included in "allow logon through Terminal Services"

If the data is stored on the SBS they would need a domain account to access it.

Author Comment

ID: 38374588
Yeah, about the data - that was the next hurdle.
The app is called TOPS, it's pretty much Quickbooks for property managers.
The way it's written it REQUIRES local admin access to run. I've already complained about that, obviously to no avail.
I managed to make a remote app out of TOPS on the terminal server.
SBS CALs weren't really a concern - just trying to keep these users confined to a box with little data on it.
The bigger problem is that they want accounts for every board member for every building they manage. That's somewhere around 8+ board members per property * 80+ properties.
LVL 78

Accepted Solution

Rob Williams earned 1500 total points
ID: 38374852
If the data is on the SBS then you most definitely need a domain account and an SBS CAL, which of course has a limit of 75 users.  

With that many users you might be better to set up a non-domain TS with the data stored locally.  If you are going to have 8 x 80 users that is well over $10,000 in CAL's (server std + TS/RDS) the cost of the server and software becomes much less expensive.  I assume you will only have a limited number of users at one time?  Otherwise you are going to need a TS farm.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question