bigdug
asked on
RDP serial port problems W2008R2 AD controller and TS server
Hello,
First of all let me start by saying this is a client machine and we have already reiterated many times that allowing regular users to connect to their AD controller to run applications is a horrendously bad idea and violates several security and configuration recomendations..
That said, the client insists on doing it anyway so here is my question
When running their application from a local logon on the console they can access a serial device. When running application through RDP and attempting to run same application using a redirected client serial port the application cannot operate the serial device.
The port is redirecting properly, we see it with change port /query and the configuration of rdp-tcp and the specific policies for device redirection are all correct for allowing this to work.
Under R2 I can replicate the error on a non domain controller, and it goes away when the user is added to the local administrators group of the server.. Unfortunately there is no local group on an AD controller, and adding them to the domain admins group does not make this work. This gives me the impression that it is a default User Access policy issue (UAC itself is disabled in both cases to prevent token filtering issues).
Are there any specific user access permissions affecting the serial ports in GPedit ?
Thanks in advance..
First of all let me start by saying this is a client machine and we have already reiterated many times that allowing regular users to connect to their AD controller to run applications is a horrendously bad idea and violates several security and configuration recomendations..
That said, the client insists on doing it anyway so here is my question
When running their application from a local logon on the console they can access a serial device. When running application through RDP and attempting to run same application using a redirected client serial port the application cannot operate the serial device.
The port is redirecting properly, we see it with change port /query and the configuration of rdp-tcp and the specific policies for device redirection are all correct for allowing this to work.
Under R2 I can replicate the error on a non domain controller, and it goes away when the user is added to the local administrators group of the server.. Unfortunately there is no local group on an AD controller, and adding them to the domain admins group does not make this work. This gives me the impression that it is a default User Access policy issue (UAC itself is disabled in both cases to prevent token filtering issues).
Are there any specific user access permissions affecting the serial ports in GPedit ?
Thanks in advance..
asavener
This doesn't directly answer that question, but have you tried adding the users to the Server Operators group?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It turned out to be a combination of two things. The first was this policy, and the second was that one of the helpful users had reenabled UAC.. Not sure which of the two caused this odd behaviour but changed both and it stopped. The odd part was seeing in in portQry, that makes me think UAC was the main issue. I beleive if the policy was taking effect it would not map at all.. Too many cooks in the kitchen with this problem I'm afraid..