Re: Remote Desktop rights to Member Servers via GPO
- From: "neo [mvp outlook]" <neo@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Dec 2007 20:33:25 -0800
Then you are left with a computer startup script GPO that checks the members
of this group and adds your domain group via the net localgroup /add
command.
"Tom" <Tom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:843A1EC9-D9C0-41EE-BB7B-C1655A29026E@xxxxxxxxxxxxxxxx
Hi Neo, not a dangerous asssumption, as we are talking about 2ksp4 and
higher. My understanding of Restricted groups is that the GPO will
totally
replace the target group membership, which might be a problem with the
developers and we have not examined the local group membership for ACE's
that
would be removed inadvertantly.
Is there a way to "merge" the restricted group into local group
membership?
Thanks for your reply!
Tom
"neo [mvp outlook]" wrote:
I'll make a dangerous assumption that you are working with a Windows 2000
SP4 or better Active Directory Domain + Member servers, but have you
tried
using a Restricted Groups* GPO to populate the Remote Desktop Users group
with your domain group?
/neo
* In this case, I'm thinking about the bottom half that covers Member Of.
(e.g. you type in "(G)AllServerAdmins" and then say this should be a
member
of Remote Desktop Users)
"Tom" <Tom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2E2091F4-3A67-43B3-ADAA-D860F51FDD56@xxxxxxxxxxxxxxxx
Hi Folks, I've got an issue here and am losing hair by the minute:) :
I have a scenario giving me problems. I am trying to grant a specific
global group the rights to rdp to member servers(Admin mode, btw) in
AD.
Members of tis group are not to be Domain Admins.
The "Remote Desktop Users" (RDP) group only grants access to DC's, as
tested
by membership.
I have:
1. Created the GPO with the following rights to a global group
named "(G)AllServerAdmins"
"Allow logon through Terminal Services:
"Allow logon locally" (not needed, but I'm grasping at straws
here:)
2. Linked the GPO to the OU housing the member servers.
3. Verified the GPO machine policy is applied (gpresult) and that
there
is no "Block Inheritance" on the OU hierarchy which the Member servers
reside.
A user, who is a member of the "(G)AllServerAdmins" group and "Remote
Desktop Users" still cannot rdp to a member server. They can
successfully
rdp to a domain controller which seems backwards.
Naturally, if I manually add the "(G)AllServerAdmins" to the local
"Administrators" group on a member server, everything works fine. The
problem is that we don't want to have to touch every member box to do
this,
as it defeats the purpose of the GPO.
Am I going to have to script the addition of the global group to local
Administrators group? Seems like this should have been an obvious GPO,
as
it's entirely to much work to do something so basic.
You'd think we'd be able to add group membership to local groups by
GPO.
Thanks in advance!
Tom
.
- Follow-Ups:
- References:
- Remote Desktop rights to Member Servers via GPO
- From: Tom
- Re: Remote Desktop rights to Member Servers via GPO
- From: neo [mvp outlook]
- Re: Remote Desktop rights to Member Servers via GPO
- From: Tom
- Remote Desktop rights to Member Servers via GPO
- Prev by Date: the system cannot find message text for message number 0x
- Next by Date: Re: Enforce Password Aging... Gracefully
- Previous by thread: Re: Remote Desktop rights to Member Servers via GPO
- Next by thread: Re: Remote Desktop rights to Member Servers via GPO
- Index(es):
Relevant Pages
|
