Solved

remote access on all systems to backup operators

Posted on 2013-06-25
7
1,031 Views
Last Modified: 2013-11-21
Hi Experts,
Is there a way thru which i can allow "backup operator" group members RDP access on all domain computers/servers ?

i tried to make them members of "remote desktop users" builtin group but that didnt work.


we are running AD on 2008 R2.
0
Comment
Question by:pdixit1977
7 Comments
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 150 total points
ID: 39276288
Are you doing any of this through Group Policy?

There are settings to allow Terminal Services:
Computer Configuration/Policies/Windows Settings/Security SEttings/Local Policies/User Rights Assignment

Allow log on through Terminal Services
Deny Log on through Terminal Services
0
 

Author Comment

by:pdixit1977
ID: 39277832
thanks but "Allow log on through Terminal Services" is automatically  assign when a user added to "remote desktop users" built in AD group than why i need to setup this group policy separately.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39293478
The backup operators group needs to be added to the remote desktop user's group on each PC.  You might want to test it on one.  To do this through group policy you need to make use of "restricted groups".  This will replace the members of the local Administrators group so be careful how you use it , as you can lock yourself out.  I recommnd applying the policy only to member computers and not servers.

From an older post of mine.  The links are older but still apply.  You can also do it with a script, let me know if you want details.

"Restricted Groups" is designed specificaly for this purpose. It lets you create a group of users that will be members of the local (Pc's) admin group, but not domain admins. When setting it up be careful as it can replace all local admins (except the default administrator account) and if you haven't added your account or a group to which you belong, you could be locked out. Also, make sure you only apply it to a computer OU, i.e. make sure you do not apply it to your Domain Controllers.
http://www.frickelsoft.net/blog/?p=13
There are some TouTube vieos on this as well
http://www.google.ca/#hl=en&q=2008+restricted+groups&gs_sm=e&gs_upl=37653l44242l0l44456l23l17l0l6l6l0l472l3384l0.7.8.0.1l22l0&um=1&ie=UTF-8&tbo=u&tbm=vid&source=og&sa=N&tab=wv&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=89c4b17b97ea8f9d&biw=1449&bih=743
0
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 100 total points
ID: 39293492
adding them to remote desktop users will only work if the local groups on the servers and the settings for "allow log on through terminal services"

as said by "ThinkPaper" group policy can amend this group and the settings that use this group via group policy. If you do this that way every time it refreshes group policy it ensure the group membership and local right are assigned correctly.

Without using group policy or local policies that are checked and maintained someone can change this settings and revoke access until someone checks and sets it back
0
 

Author Closing Comment

by:pdixit1977
ID: 39311066
thanks
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now