Terminal server local user access problem

Windows SBS 2003 server, Windows 2008 Terminal Server. TS is NOT a domain controller, for security reasons, but is part of the domain.
Several remote locations log in to TS to run local database apps.
New requirement is to allow "guest" users onto the TS to run these database apps, also in "guest" mode.
Original idea was to create a local, not domain, user on the TS box. That way there's less access to other apps and files on the network. But I get the "allow log on through Terminal Server right" error.
Since this isn't a domain controller or domain user account, I can't figure out where to change the policy without removing all the security. (Not every domain user has TS privileges).
Who is Participating?
Rob WilliamsCommented:
If the data is on the SBS then you most definitely need a domain account and an SBS CAL, which of course has a limit of 75 users.  

With that many users you might be better to set up a non-domain TS with the data stored locally.  If you are going to have 8 x 80 users that is well over $10,000 in CAL's (server std + TS/RDS) the cost of the server and software becomes much less expensive.  I assume you will only have a limited number of users at one time?  Otherwise you are going to need a TS farm.
Rob WilliamsCommented:
There could be issues with this and domain group policy overriding in some cases.  In some ways this is less secure than making them a domain user as you do not have full control of them with group policy.  It sounds more like you are trying to avoid an SBS CAL than addressing security.  It would be better to create a domain group with restricted rights. The user still needs a Server CAL if they do not have an SBS CAL, and they need a TS CAL regardless, and I'm not sure how that will work if the SBS is the TS licensing server.

However; the user would have to be a member of the "remote Desktop User's Group" on the TS itself which basically includes them in the following local policy:  On the TS: Control Panel | Administrative tools | Local Security Policy | Local Policies | User Rights Assignments ...make sure Remote Desktop Users is included in "allow logon through Terminal Services"

If the data is stored on the SBS they would need a domain account to access it.
geekzincAuthor Commented:
Yeah, about the data - that was the next hurdle.
The app is called TOPS, it's pretty much Quickbooks for property managers.
The way it's written it REQUIRES local admin access to run. I've already complained about that, obviously to no avail.
I managed to make a remote app out of TOPS on the terminal server.
SBS CALs weren't really a concern - just trying to keep these users confined to a box with little data on it.
The bigger problem is that they want accounts for every board member for every building they manage. That's somewhere around 8+ board members per property * 80+ properties.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.