Terminal Services (Administration mode) Security

Archived from groups: microsoft.public.win2000.security (More info?)

I have an AD group 'RDPaccess' consisting of users from two domains: the
local domain and it's parent domain. I have added this group with full
access to the RDP connection in the Terminal Services Configuration
application on the Win2K server.

Using the remote desktop client:
Attempting to log in as a non-administrative user from the parent domain I
get the error 'You do not have permissions to log onto this session'. I
then added the RDPaccess group to the local machine administrators group
(just to see if the situation didn't improve) no dice.

I can however log onto the server using an administrative login from the
parent domain, and a non-administrative login (still a member of RDPaccess)
in the local domain.

Am I missing something? Any suggestions?

Thanks!
3 answers Last reply
More about terminal services administration mode security
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    On the Windows 2000 Terminal Server add your group to the logon locally user
    right . Do that in Local Security Policy for a domain member and you would
    have to do that in Domain Controller Security Policy for domain controllers.
    Look under security settings/local policies/user rights. If the server is a
    domain controller you may want to put in a child OU to the domain
    controllers OU and then configure that user right via a GPO for that OU.
    That will prevent that group from being able to logon to all domain
    controllers locally. If you do such be sure administrators is also included
    in the logon locally user right. Keep in mind that any "deny" user right
    will override any "allow" user right and that administrators are also
    members of the users and everyone groups. If you are doing this to a non
    domain controller, be sure that the local setting equals the effective
    setting after refreshing the policy. If it does not, there is a domain/OU
    policy overriding the local policy. --- Steve


    <Navigato> wrote in message news:uooq4iJrEHA.1152@TK2MSFTNGP11.phx.gbl...
    >I have an AD group 'RDPaccess' consisting of users from two domains: the
    > local domain and it's parent domain. I have added this group with full
    > access to the RDP connection in the Terminal Services Configuration
    > application on the Win2K server.
    >
    > Using the remote desktop client:
    > Attempting to log in as a non-administrative user from the parent domain I
    > get the error 'You do not have permissions to log onto this session'. I
    > then added the RDPaccess group to the local machine administrators group
    > (just to see if the situation didn't improve) no dice.
    >
    > I can however log onto the server using an administrative login from the
    > parent domain, and a non-administrative login (still a member of
    > RDPaccess)
    > in the local domain.
    >
    > Am I missing something? Any suggestions?
    >
    > Thanks!
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve Thanks! I figured my first issue was the delay in replication since
    the child domain is half way around the world :-) Second issue is just like
    you said - If not specifically allowed the 'log on locally' user right on
    the member servers the login is rejected. Since administrators have this
    capability when I added the group to the administrators of the local machine
    the problem was solved. (These folks will need admin access anyways).

    Rock on!

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:FCi9d.140637$wV.138303@attbi_s54...
    > On the Windows 2000 Terminal Server add your group to the logon locally
    user
    > right . Do that in Local Security Policy for a domain member and you would
    > have to do that in Domain Controller Security Policy for domain
    controllers.
    > Look under security settings/local policies/user rights. If the server is
    a
    > domain controller you may want to put in a child OU to the domain
    > controllers OU and then configure that user right via a GPO for that OU.
    > That will prevent that group from being able to logon to all domain
    > controllers locally. If you do such be sure administrators is also
    included
    > in the logon locally user right. Keep in mind that any "deny" user right
    > will override any "allow" user right and that administrators are also
    > members of the users and everyone groups. If you are doing this to a non
    > domain controller, be sure that the local setting equals the effective
    > setting after refreshing the policy. If it does not, there is a domain/OU
    > policy overriding the local policy. --- Steve
    >
    >
    > <Navigato> wrote in message news:uooq4iJrEHA.1152@TK2MSFTNGP11.phx.gbl...
    > >I have an AD group 'RDPaccess' consisting of users from two domains: the
    > > local domain and it's parent domain. I have added this group with full
    > > access to the RDP connection in the Terminal Services Configuration
    > > application on the Win2K server.
    > >
    > > Using the remote desktop client:
    > > Attempting to log in as a non-administrative user from the parent domain
    I
    > > get the error 'You do not have permissions to log onto this session'. I
    > > then added the RDPaccess group to the local machine administrators group
    > > (just to see if the situation didn't improve) no dice.
    > >
    > > I can however log onto the server using an administrative login from the
    > > parent domain, and a non-administrative login (still a member of
    > > RDPaccess)
    > > in the local domain.
    > >
    > > Am I missing something? Any suggestions?
    > >
    > > Thanks!
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Glad you go it working. Just keep in mind that you do not have to make the
    users local administrators to allow then to logon locally and that could
    give users a lot more rights that needed to mess things up. --- Steve


    <Navigato> wrote in message news:OO$owaUrEHA.644@tk2msftngp13.phx.gbl...
    > Steve Thanks! I figured my first issue was the delay in replication since
    > the child domain is half way around the world :-) Second issue is just
    > like
    > you said - If not specifically allowed the 'log on locally' user right on
    > the member servers the login is rejected. Since administrators have this
    > capability when I added the group to the administrators of the local
    > machine
    > the problem was solved. (These folks will need admin access anyways).
    >
    > Rock on!
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:FCi9d.140637$wV.138303@attbi_s54...
    >> On the Windows 2000 Terminal Server add your group to the logon locally
    > user
    >> right . Do that in Local Security Policy for a domain member and you
    >> would
    >> have to do that in Domain Controller Security Policy for domain
    > controllers.
    >> Look under security settings/local policies/user rights. If the server is
    > a
    >> domain controller you may want to put in a child OU to the domain
    >> controllers OU and then configure that user right via a GPO for that OU.
    >> That will prevent that group from being able to logon to all domain
    >> controllers locally. If you do such be sure administrators is also
    > included
    >> in the logon locally user right. Keep in mind that any "deny" user right
    >> will override any "allow" user right and that administrators are also
    >> members of the users and everyone groups. If you are doing this to a non
    >> domain controller, be sure that the local setting equals the effective
    >> setting after refreshing the policy. If it does not, there is a domain/OU
    >> policy overriding the local policy. --- Steve
    >>
    >>
    >> <Navigato> wrote in message news:uooq4iJrEHA.1152@TK2MSFTNGP11.phx.gbl...
    >> >I have an AD group 'RDPaccess' consisting of users from two domains: the
    >> > local domain and it's parent domain. I have added this group with full
    >> > access to the RDP connection in the Terminal Services Configuration
    >> > application on the Win2K server.
    >> >
    >> > Using the remote desktop client:
    >> > Attempting to log in as a non-administrative user from the parent
    >> > domain
    > I
    >> > get the error 'You do not have permissions to log onto this session'.
    >> > I
    >> > then added the RDPaccess group to the local machine administrators
    >> > group
    >> > (just to see if the situation didn't improve) no dice.
    >> >
    >> > I can however log onto the server using an administrative login from
    >> > the
    >> > parent domain, and a non-administrative login (still a member of
    >> > RDPaccess)
    >> > in the local domain.
    >> >
    >> > Am I missing something? Any suggestions?
    >> >
    >> > Thanks!
    >> >
    >> >
    >>
    >>
    >
    >
Ask a new question

Read More

Terminal Domain Security Windows