Solved

remote access on all systems to backup operators

Posted on 2013-06-25
7
1,052 Views
Last Modified: 2013-11-21
Hi Experts,
Is there a way thru which i can allow "backup operator" group members RDP access on all domain computers/servers ?

i tried to make them members of "remote desktop users" builtin group but that didnt work.


we are running AD on 2008 R2.
0
Comment
Question by:pdixit1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 150 total points
ID: 39276288
Are you doing any of this through Group Policy?

There are settings to allow Terminal Services:
Computer Configuration/Policies/Windows Settings/Security SEttings/Local Policies/User Rights Assignment

Allow log on through Terminal Services
Deny Log on through Terminal Services
0
 

Author Comment

by:pdixit1977
ID: 39277832
thanks but "Allow log on through Terminal Services" is automatically  assign when a user added to "remote desktop users" built in AD group than why i need to setup this group policy separately.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39293478
The backup operators group needs to be added to the remote desktop user's group on each PC.  You might want to test it on one.  To do this through group policy you need to make use of "restricted groups".  This will replace the members of the local Administrators group so be careful how you use it , as you can lock yourself out.  I recommnd applying the policy only to member computers and not servers.

From an older post of mine.  The links are older but still apply.  You can also do it with a script, let me know if you want details.

"Restricted Groups" is designed specificaly for this purpose. It lets you create a group of users that will be members of the local (Pc's) admin group, but not domain admins. When setting it up be careful as it can replace all local admins (except the default administrator account) and if you haven't added your account or a group to which you belong, you could be locked out. Also, make sure you only apply it to a computer OU, i.e. make sure you do not apply it to your Domain Controllers.
http://www.frickelsoft.net/blog/?p=13
There are some TouTube vieos on this as well
http://www.google.ca/#hl=en&q=2008+restricted+groups&gs_sm=e&gs_upl=37653l44242l0l44456l23l17l0l6l6l0l472l3384l0.7.8.0.1l22l0&um=1&ie=UTF-8&tbo=u&tbm=vid&source=og&sa=N&tab=wv&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=89c4b17b97ea8f9d&biw=1449&bih=743
0
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 100 total points
ID: 39293492
adding them to remote desktop users will only work if the local groups on the servers and the settings for "allow log on through terminal services"

as said by "ThinkPaper" group policy can amend this group and the settings that use this group via group policy. If you do this that way every time it refreshes group policy it ensure the group membership and local right are assigned correctly.

Without using group policy or local policies that are checked and maintained someone can change this settings and revoke access until someone checks and sets it back
0
 

Author Closing Comment

by:pdixit1977
ID: 39311066
thanks
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question