Terminal server local user access problem

Posted on 2012-09-06
Last Modified: 2012-09-24
Windows SBS 2003 server, Windows 2008 Terminal Server. TS is NOT a domain controller, for security reasons, but is part of the domain.
Several remote locations log in to TS to run local database apps.
New requirement is to allow "guest" users onto the TS to run these database apps, also in "guest" mode.
Original idea was to create a local, not domain, user on the TS box. That way there's less access to other apps and files on the network. But I get the "allow log on through Terminal Server right" error.
Since this isn't a domain controller or domain user account, I can't figure out where to change the policy without removing all the security. (Not every domain user has TS privileges).
Question by:geekzinc
    LVL 77

    Expert Comment

    by:Rob Williams
    There could be issues with this and domain group policy overriding in some cases.  In some ways this is less secure than making them a domain user as you do not have full control of them with group policy.  It sounds more like you are trying to avoid an SBS CAL than addressing security.  It would be better to create a domain group with restricted rights. The user still needs a Server CAL if they do not have an SBS CAL, and they need a TS CAL regardless, and I'm not sure how that will work if the SBS is the TS licensing server.

    However; the user would have to be a member of the "remote Desktop User's Group" on the TS itself which basically includes them in the following local policy:  On the TS: Control Panel | Administrative tools | Local Security Policy | Local Policies | User Rights Assignments ...make sure Remote Desktop Users is included in "allow logon through Terminal Services"

    If the data is stored on the SBS they would need a domain account to access it.

    Author Comment

    Yeah, about the data - that was the next hurdle.
    The app is called TOPS, it's pretty much Quickbooks for property managers.
    The way it's written it REQUIRES local admin access to run. I've already complained about that, obviously to no avail.
    I managed to make a remote app out of TOPS on the terminal server.
    SBS CALs weren't really a concern - just trying to keep these users confined to a box with little data on it.
    The bigger problem is that they want accounts for every board member for every building they manage. That's somewhere around 8+ board members per property * 80+ properties.
    LVL 77

    Accepted Solution

    If the data is on the SBS then you most definitely need a domain account and an SBS CAL, which of course has a limit of 75 users.  

    With that many users you might be better to set up a non-domain TS with the data stored locally.  If you are going to have 8 x 80 users that is well over $10,000 in CAL's (server std + TS/RDS) the cost of the server and software becomes much less expensive.  I assume you will only have a limited number of users at one time?  Otherwise you are going to need a TS farm.

    Featured Post

    The problems with reply email signatures

    Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

    Join & Write a Comment

    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now