Disable "Allow logon to terminal server"

Archived from groups: microsoft.public.win2000.security (More info?)

Is there a way to remotely manage (script, GPO, etc) the local account
property, "Allow logon to terminal server" for local accounts on Windows 2000
servers? The domain is also Windows 2000.
5 answers Last reply
More about disable allow logon terminal server
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You could remote in via TS to manage those accounts or use security policy
    to manage the user right for "logon locally" which a user will need to
    access a TS in W2K. In Windows 2003 that has been changed to a separate user
    right called "allow logon through Terminal Services". That can be configured
    through Local Security Policy or you can put the computer in an
    Organizational Unit with it's own GPO with the logon locally configured to
    your needs. User rights are accessible through computer
    configuration/Windows settings/security settings/local policies/user rights.
    That will not directly configure the user's local account but they can not
    logon without the logon locally user right. -- Steve


    "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
    > Is there a way to remotely manage (script, GPO, etc) the local account
    > property, "Allow logon to terminal server" for local accounts on Windows
    > 2000
    > servers? The domain is also Windows 2000.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve,

    Thanks for the response. Let me add a little more background which should
    further explain my issue. I need to disable the permission, "Allow logon to
    terminal server," for over 2000 administrative service accounts located on
    800 servers and due to some archaic applications I can not always remove the
    security permission, "logon locally". Manually disabling this property per
    account is not an option I can realistically implement.

    Also, the member server and domain are all Windows 2000 so I do not have the
    TS luxuries provided by Windows 2003 GPOs.

    My gut instinct is that there is likely a way to set this account property
    via a script but I’ve exhausted several searching trying to find it. Any
    additional thoughts would be appreciated…


    Thanks for the response. Let me add a little additional background which
    should further explain my issue. I need to disable the permission, "Allow
    logon to terminal server," for over 2000 accounts located on 700 servers but
    in some instance I can not remove the security permission, "logon locally".

    "Steven L Umbach" wrote:

    > You could remote in via TS to manage those accounts or use security policy
    > to manage the user right for "logon locally" which a user will need to
    > access a TS in W2K. In Windows 2003 that has been changed to a separate user
    > right called "allow logon through Terminal Services". That can be configured
    > through Local Security Policy or you can put the computer in an
    > Organizational Unit with it's own GPO with the logon locally configured to
    > your needs. User rights are accessible through computer
    > configuration/Windows settings/security settings/local policies/user rights.
    > That will not directly configure the user's local account but they can not
    > logon without the logon locally user right. -- Steve
    >
    >
    > "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    > news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
    > > Is there a way to remotely manage (script, GPO, etc) the local account
    > > property, "Allow logon to terminal server" for local accounts on Windows
    > > 2000
    > > servers? The domain is also Windows 2000.
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hmm. I don't know of a way to automate that account property. You might also
    want to post in a Terminal Services newsgroup. I don't know how many TS you
    have but it might be feasible to take a look at configuring the RDP
    permissions on each TS to allow only specified domain groups permissions in
    Terminal Services Configuration connections/RDP/properties. If you have
    domain servers/computers that you never want to allow access to a TS you
    could implement a ipsec filtering policy that uses block filter action to
    deny any outbound traffic for port 3389 from that computer. Ipsec policies
    can be easily managed via Group Policy computer configuration.--- Steve


    "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    news:003E21EE-8B2F-4352-BF39-60D00D42B459@microsoft.com...
    > Steve,
    >
    > Thanks for the response. Let me add a little more background which should
    > further explain my issue. I need to disable the permission, "Allow logon
    > to
    > terminal server," for over 2000 administrative service accounts located on
    > 800 servers and due to some archaic applications I can not always remove
    > the
    > security permission, "logon locally". Manually disabling this property
    > per
    > account is not an option I can realistically implement.
    >
    > Also, the member server and domain are all Windows 2000 so I do not have
    > the
    > TS luxuries provided by Windows 2003 GPOs.
    >
    > My gut instinct is that there is likely a way to set this account property
    > via a script but I've exhausted several searching trying to find it. Any
    > additional thoughts would be appreciated.
    >
    >
    > Thanks for the response. Let me add a little additional background which
    > should further explain my issue. I need to disable the permission, "Allow
    > logon to terminal server," for over 2000 accounts located on 700 servers
    > but
    > in some instance I can not remove the security permission, "logon
    > locally".
    >
    > "Steven L Umbach" wrote:
    >
    >> You could remote in via TS to manage those accounts or use security
    >> policy
    >> to manage the user right for "logon locally" which a user will need to
    >> access a TS in W2K. In Windows 2003 that has been changed to a separate
    >> user
    >> right called "allow logon through Terminal Services". That can be
    >> configured
    >> through Local Security Policy or you can put the computer in an
    >> Organizational Unit with it's own GPO with the logon locally configured
    >> to
    >> your needs. User rights are accessible through computer
    >> configuration/Windows settings/security settings/local policies/user
    >> rights.
    >> That will not directly configure the user's local account but they can
    >> not
    >> logon without the logon locally user right. -- Steve
    >>
    >>
    >> "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    >> news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
    >> > Is there a way to remotely manage (script, GPO, etc) the local account
    >> > property, "Allow logon to terminal server" for local accounts on
    >> > Windows
    >> > 2000
    >> > servers? The domain is also Windows 2000.
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve thanks for your help. Amazingly enough I’ve found a scriptable method
    for setting the account property, "Allow logon to terminal server.� I just
    came across the Sysinternals tool “TSCMD.exe� which can set this property
    along with several other TS account properties.

    http://www.systemtools.com/download/tscmd.zip

    With the discovery of this tool it will be trivial now to create a VBS or
    Batch script to disable this property for any number of local server
    accounts. Now the only challenge is monitoring compliance...


    "Steven L Umbach" wrote:

    > Hmm. I don't know of a way to automate that account property. You might also
    > want to post in a Terminal Services newsgroup. I don't know how many TS you
    > have but it might be feasible to take a look at configuring the RDP
    > permissions on each TS to allow only specified domain groups permissions in
    > Terminal Services Configuration connections/RDP/properties. If you have
    > domain servers/computers that you never want to allow access to a TS you
    > could implement a ipsec filtering policy that uses block filter action to
    > deny any outbound traffic for port 3389 from that computer. Ipsec policies
    > can be easily managed via Group Policy computer configuration.--- Steve
    >
    >
    > "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    > news:003E21EE-8B2F-4352-BF39-60D00D42B459@microsoft.com...
    > > Steve,
    > >
    > > Thanks for the response. Let me add a little more background which should
    > > further explain my issue. I need to disable the permission, "Allow logon
    > > to
    > > terminal server," for over 2000 administrative service accounts located on
    > > 800 servers and due to some archaic applications I can not always remove
    > > the
    > > security permission, "logon locally". Manually disabling this property
    > > per
    > > account is not an option I can realistically implement.
    > >
    > > Also, the member server and domain are all Windows 2000 so I do not have
    > > the
    > > TS luxuries provided by Windows 2003 GPOs.
    > >
    > > My gut instinct is that there is likely a way to set this account property
    > > via a script but I've exhausted several searching trying to find it. Any
    > > additional thoughts would be appreciated.
    > >
    > >
    > > Thanks for the response. Let me add a little additional background which
    > > should further explain my issue. I need to disable the permission, "Allow
    > > logon to terminal server," for over 2000 accounts located on 700 servers
    > > but
    > > in some instance I can not remove the security permission, "logon
    > > locally".
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> You could remote in via TS to manage those accounts or use security
    > >> policy
    > >> to manage the user right for "logon locally" which a user will need to
    > >> access a TS in W2K. In Windows 2003 that has been changed to a separate
    > >> user
    > >> right called "allow logon through Terminal Services". That can be
    > >> configured
    > >> through Local Security Policy or you can put the computer in an
    > >> Organizational Unit with it's own GPO with the logon locally configured
    > >> to
    > >> your needs. User rights are accessible through computer
    > >> configuration/Windows settings/security settings/local policies/user
    > >> rights.
    > >> That will not directly configure the user's local account but they can
    > >> not
    > >> logon without the logon locally user right. -- Steve
    > >>
    > >>
    > >> "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    > >> news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
    > >> > Is there a way to remotely manage (script, GPO, etc) the local account
    > >> > property, "Allow logon to terminal server" for local accounts on
    > >> > Windows
    > >> > 2000
    > >> > servers? The domain is also Windows 2000.
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Cool. I use lot of their tools but have never run accross tscmd.exe. Thanks
    for posting back with that info! --- Steve


    "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    news:3BF69D48-4123-484F-89BB-21550E09BFC2@microsoft.com...
    > Steve thanks for your help. Amazingly enough I've found a scriptable
    > method
    > for setting the account property, "Allow logon to terminal server." I
    > just
    > came across the Sysinternals tool "TSCMD.exe" which can set this property
    > along with several other TS account properties.
    >
    > http://www.systemtools.com/download/tscmd.zip
    >
    > With the discovery of this tool it will be trivial now to create a VBS or
    > Batch script to disable this property for any number of local server
    > accounts. Now the only challenge is monitoring compliance...
    >
    >
    >
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> Hmm. I don't know of a way to automate that account property. You might
    >> also
    >> want to post in a Terminal Services newsgroup. I don't know how many TS
    >> you
    >> have but it might be feasible to take a look at configuring the RDP
    >> permissions on each TS to allow only specified domain groups permissions
    >> in
    >> Terminal Services Configuration connections/RDP/properties. If you have
    >> domain servers/computers that you never want to allow access to a TS you
    >> could implement a ipsec filtering policy that uses block filter action to
    >> deny any outbound traffic for port 3389 from that computer. Ipsec
    >> policies
    >> can be easily managed via Group Policy computer configuration.--- Steve
    >>
    >>
    >> "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    >> news:003E21EE-8B2F-4352-BF39-60D00D42B459@microsoft.com...
    >> > Steve,
    >> >
    >> > Thanks for the response. Let me add a little more background which
    >> > should
    >> > further explain my issue. I need to disable the permission, "Allow
    >> > logon
    >> > to
    >> > terminal server," for over 2000 administrative service accounts located
    >> > on
    >> > 800 servers and due to some archaic applications I can not always
    >> > remove
    >> > the
    >> > security permission, "logon locally". Manually disabling this property
    >> > per
    >> > account is not an option I can realistically implement.
    >> >
    >> > Also, the member server and domain are all Windows 2000 so I do not
    >> > have
    >> > the
    >> > TS luxuries provided by Windows 2003 GPOs.
    >> >
    >> > My gut instinct is that there is likely a way to set this account
    >> > property
    >> > via a script but I've exhausted several searching trying to find it.
    >> > Any
    >> > additional thoughts would be appreciated.
    >> >
    >> >
    >> > Thanks for the response. Let me add a little additional background
    >> > which
    >> > should further explain my issue. I need to disable the permission,
    >> > "Allow
    >> > logon to terminal server," for over 2000 accounts located on 700
    >> > servers
    >> > but
    >> > in some instance I can not remove the security permission, "logon
    >> > locally".
    >> >
    >> > "Steven L Umbach" wrote:
    >> >
    >> >> You could remote in via TS to manage those accounts or use security
    >> >> policy
    >> >> to manage the user right for "logon locally" which a user will need to
    >> >> access a TS in W2K. In Windows 2003 that has been changed to a
    >> >> separate
    >> >> user
    >> >> right called "allow logon through Terminal Services". That can be
    >> >> configured
    >> >> through Local Security Policy or you can put the computer in an
    >> >> Organizational Unit with it's own GPO with the logon locally
    >> >> configured
    >> >> to
    >> >> your needs. User rights are accessible through computer
    >> >> configuration/Windows settings/security settings/local policies/user
    >> >> rights.
    >> >> That will not directly configure the user's local account but they can
    >> >> not
    >> >> logon without the logon locally user right. -- Steve
    >> >>
    >> >>
    >> >> "Jason Cook" <JasonCook@discussions.microsoft.com> wrote in message
    >> >> news:1518C02B-BBCA-4C9C-B5AE-1E35C9B4FA99@microsoft.com...
    >> >> > Is there a way to remotely manage (script, GPO, etc) the local
    >> >> > account
    >> >> > property, "Allow logon to terminal server" for local accounts on
    >> >> > Windows
    >> >> > 2000
    >> >> > servers? The domain is also Windows 2000.
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
Ask a new question

Read More

Windows 2000 Terminal Server Windows