Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

remote access on all systems to backup operators

Posted on 2013-06-25
7
Medium Priority
?
1,073 Views
Last Modified: 2013-11-21
Hi Experts,
Is there a way thru which i can allow "backup operator" group members RDP access on all domain computers/servers ?

i tried to make them members of "remote desktop users" builtin group but that didnt work.


we are running AD on 2008 R2.
0
Comment
Question by:pdixit1977
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 450 total points
ID: 39276288
Are you doing any of this through Group Policy?

There are settings to allow Terminal Services:
Computer Configuration/Policies/Windows Settings/Security SEttings/Local Policies/User Rights Assignment

Allow log on through Terminal Services
Deny Log on through Terminal Services
0
 

Author Comment

by:pdixit1977
ID: 39277832
thanks but "Allow log on through Terminal Services" is automatically  assign when a user added to "remote desktop users" built in AD group than why i need to setup this group policy separately.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39293478
The backup operators group needs to be added to the remote desktop user's group on each PC.  You might want to test it on one.  To do this through group policy you need to make use of "restricted groups".  This will replace the members of the local Administrators group so be careful how you use it , as you can lock yourself out.  I recommnd applying the policy only to member computers and not servers.

From an older post of mine.  The links are older but still apply.  You can also do it with a script, let me know if you want details.

"Restricted Groups" is designed specificaly for this purpose. It lets you create a group of users that will be members of the local (Pc's) admin group, but not domain admins. When setting it up be careful as it can replace all local admins (except the default administrator account) and if you haven't added your account or a group to which you belong, you could be locked out. Also, make sure you only apply it to a computer OU, i.e. make sure you do not apply it to your Domain Controllers.
http://www.frickelsoft.net/blog/?p=13
There are some TouTube vieos on this as well
http://www.google.ca/#hl=en&q=2008+restricted+groups&gs_sm=e&gs_upl=37653l44242l0l44456l23l17l0l6l6l0l472l3384l0.7.8.0.1l22l0&um=1&ie=UTF-8&tbo=u&tbm=vid&source=og&sa=N&tab=wv&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=89c4b17b97ea8f9d&biw=1449&bih=743
0
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 300 total points
ID: 39293492
adding them to remote desktop users will only work if the local groups on the servers and the settings for "allow log on through terminal services"

as said by "ThinkPaper" group policy can amend this group and the settings that use this group via group policy. If you do this that way every time it refreshes group policy it ensure the group membership and local right are assigned correctly.

Without using group policy or local policies that are checked and maintained someone can change this settings and revoke access until someone checks and sets it back
0
 

Author Closing Comment

by:pdixit1977
ID: 39311066
thanks
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question