Re: Preventing logon to local accounts

Hi Guys, thanks for the advise. I am on information overload now!

Connecting to what? Do you have a terminal server? That would be a
good idea if you have a lot of remote users.

Ok, just to sum it all up, (I think this is right) we have 2 AD server's and
6 Terminal Servers. We have several hundred PC users which connect to TS's
for access to our profit system. Users also use their PC's for email access
and other things locally, however we are trying to gradually add these PC's
to the domain.
So, certain users use VPN to connect up from home. They can connect to the
TS applications with no problem, and they can connect up to their local
account by using RDC, but on the test machine that I have connected to the
domain and removed the local account on, I can't connect to it via RDC
(emulating the method they would use from home).

You can use "Allow log on locally" Group Policy setting (Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments) and replace local Users with
Domain Users in the listing of groups in this category. Just make
sure you test this on target PCs to avoid any collateral
damage...

This was originally set to list the specific user only, so I have now
changed it to display the domain user.

Create a GPO, filter this with a security group that contains the
workstations that you would like to enable RDP.

Enable RDP on the selected workstations:

1. In the group policy object, click to expand Computer Configuration,click
to expand Administrative Templates, click to expand Windows Components, >>>>and
then click to expand Terminal Services.

2. Double-click the "Allow users to connect remotely using Terminal
Services" policy.

3. Set the policy to Enable, and then click OK


however instead of visiting each workstation


goto windows settings/security settings/restricted groups/right click add
new group/add your global security group that contains the users that you
want to access the workstations using rdp/Select this group is a member
of:choose remote desktop user

This setting was already in place, but I checked it and it all looks in order.

The only things that I have noticed is that the Domain computer in question
is activley a member of 2 groups, RDP's and Desktop users (desktop users is
the policy I have been working on to customize the domain PC's).

Could this be the cause?





.

Relevant Pages

  • Re: Remote login
    ... the user is listed as member of remote users. ... He logs into the domain ... I think I turned all policy off ...
    (microsoft.public.windows.server.sbs)
  • Help Re Restricting Access To Users
    ... I need to implement a solution whereby our remote users are restricted to ... all remote users will be connecting ... also sync their Offline Files. ... I'd like the policy to reflect this and also ...
    (microsoft.public.windowsxp.setup_deployment)
  • Help With Remote Users GP
    ... I need to implement a solution whereby our remote users are restricted to ... all remote users will be connecting ... also sync their Offline Files. ... I'd like the policy to reflect this and also ...
    (microsoft.public.windows.group_policy)
  • Re: Terminal Service Local Policy issue!
    ... What you need to do here is make the user a member of the remote users ... Mike ...
    (microsoft.public.windows.terminal_services)
  • Password Policies
    ... I've organized my Active Directory into various OUs, ... If I create a GPO for this OU and check the Block Policy Inheritance ... would this mean that the computers in the Remote Users OU would be ...
    (microsoft.public.win2000.security)
Quantcast